Skip to main content

Xenforo EUVDEUVD-2025-209156

| CVE-2025-71281 HIGH
Code Injection (CWE-94)
2026-04-01 VulnCheck GHSA-gvjw-m4hx-6454
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.3.7
EUVD ID Assigned
Apr 01, 2026 - 01:15 euvd
EUVD-2025-209156
Analysis Generated
Apr 01, 2026 - 01:15 vuln.today
CVE Published
Apr 01, 2026 - 00:30 nvd
HIGH 8.7

DescriptionCVE.org

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.

AnalysisAI

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through template callbacks and variable method calls. The vulnerability stems from a loose prefix matching mechanism that permits bypassing intended access restrictions, enabling attackers with low-privilege accounts to achieve high-severity impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details have been publicly disclosed by VulnCheck, increasing weaponization risk.

Technical ContextAI

XenForo is a PHP-based forum platform that uses a templating engine to render dynamic content. The vulnerability affects the template method invocation mechanism (CWE-94: Improper Control of Generation of Code/Code Injection). The platform's template system permits callbacks and variable method calls to execute PHP methods, but the access control relied on prefix matching rather than strict first-word matching. This loose comparison allows attackers to craft template inputs that match benign method prefixes while actually invoking restricted or dangerous methods. Affected product per CPE is cpe:2.3:a:xenforo:xenforo for all versions prior to 2.3.7. The flaw exists at the template parsing layer where user-controlled template syntax is translated into executable PHP code, creating a code injection surface when combined with insufficient method access controls.

RemediationAI

Vendor-released patch: XenForo 2.3.7. Administrators should immediately upgrade all XenForo installations to version 2.3.7 or later following the vendor's standard update procedures documented in the official security advisory at https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/. The patch implements stricter first-word matching for template method invocations, replacing the vulnerable prefix matching logic. No workarounds are documented; upgrading to the patched version is the only complete remediation. Post-upgrade, administrators should review access logs for suspicious template-related activity and audit user accounts with template modification privileges. Organizations unable to immediately patch should consider restricting user registration and limiting template access to highly trusted administrators until the upgrade can be completed.

Share

EUVD-2025-209156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy