Skip to main content

Xenforo CVE-2026-35057

| EUVDEUVD-2026-17745 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 VulnCheck
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.3.10,2.2.19
EUVD ID Assigned
Apr 01, 2026 - 01:15 euvd
EUVD-2026-17745
Analysis Generated
Apr 01, 2026 - 01:15 vuln.today
CVE Published
Apr 01, 2026 - 00:30 nvd
MEDIUM 5.1

DescriptionCVE.org

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.

AnalysisAI

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious scripts through crafted structured text mentions in profile posts, which are executed when other users view the affected content. The vulnerability has a CVSS score of 5.1 with low attack complexity and requires user interaction (viewing the malicious post), making it a moderate-risk concern for XenForo communities. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS vector indicates network-based remote attack (AV:N) with low complexity (AC:L), requiring login (PR:L) and user interaction (UI:P) to trigger. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker (user account on the target XenForo forum) crafts a malicious profile post containing a specially-formatted mention that bypasses input sanitization, injecting JavaScript code such as session cookie theft or account hijacking scripts. When other forum members visit the attacker's profile or view profile post content in community feeds, the stored malicious script executes in their browsers with the permissions of the XenForo application, potentially compromising their sessions or performing actions on their behalf. …
Remediation Vendor-released patch: Upgrade to XenForo 2.3.10 or 2.2.19 or later, depending on your current branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy