Which versions of XenForo are affected by CVE-2026-35056?

XenForo installations are vulnerable to remote code execution through the administrative panel, allowing authenticated admins with compromised credentials to execute arbitrary code and achieve…. A patch is available.

How to fix or mitigate CVE-2026-35056?

Within 24 hours: Identify all XenForo instances and document current versions (vulnerable if <2.3.9 or <2.2.18). Audit admin account access logs for suspicious activity in the past 90 days. Within 7 days: Apply vendor patches-upgrade to XenForo 2.3.9 or 2.2.18 (or later stable versions) and implement administrative credential rotation for all accounts with admin panel access. Within 30 days: Implement multi-factor authentication for all administrative accounts, restrict admin panel access by IP address/VPN, and establish enhanced logging for admin panel activities.

XenForo CVE-2026-35056

Q: What is the CVSS score of CVE-2026-35056?

CVE-2026-35056 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.3%.

EUVD-2026-17743 HIGH

Code Injection (CWE-94)

2026-04-01 VulnCheck

RCE Code Injection

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:09 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.3.9,2.2.18

EUVD ID Assigned

Apr 01, 2026 - 01:15 euvd

EUVD-2026-17743

Analysis Generated

Apr 01, 2026 - 01:15 vuln.today

CVE Published

Apr 01, 2026 - 00:30 nvd

HIGH 8.6

DescriptionNVD

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

AnalysisAI

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbitrary code on the server. Attack requires low-privilege admin panel access (PR:L) with network accessibility (AV:N) and low complexity (AC:L). …

RemediationAI

Within 24 hours: Identify all XenForo instances and document current versions (vulnerable if <2.3.9 or <2.2.18). Audit admin account access logs for suspicious activity in the past 90 days. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35056 vulnerability details – vuln.today

Back

XenForo CVE-2026-35056

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

XenForo CVE-2026-35056

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code