Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.
AnalysisAI
Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious scripts that execute in the context of other users' browsers when interacting with post content displayed via lightbox. Versions before 2.3.9 and 2.2.18 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS v4.0 score of 5.1 reflects a moderate threat with unauthenticated network access (AV:N/AC:L/PR:N), but the impact is constrained: the vulnerability does not compromise confidentiality or availability (VC:N/VA:N/SA:N), only session integrity (SI:L) and limited scope (SC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious post containing embedded JavaScript code designed to execute within the lightbox context. When other forum users view the attacker's post and interact with media displayed in the lightbox (such as clicking an image thumbnail or hovering over content), the injected script executes in their browser with their session credentials. … |
| Remediation | Immediately upgrade to XenForo 2.3.9 or later if running a 2.3.x version, or to 2.2.18 or later if running a 2.2.x version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unaut
Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through
OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to req
XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by
Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbit
XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account page
Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious
Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts throu
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17741