Skip to main content

Xenforo EUVDEUVD-2026-17743

| CVE-2026-35056 HIGH
Code Injection (CWE-94)
2026-04-01 VulnCheck
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.3.9,2.2.18
EUVD ID Assigned
Apr 01, 2026 - 01:15 euvd
EUVD-2026-17743
Analysis Generated
Apr 01, 2026 - 01:15 vuln.today
CVE Published
Apr 01, 2026 - 00:30 nvd
HIGH 8.6

DescriptionCVE.org

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

AnalysisAI

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbitrary code on the server. Attack requires low-privilege admin panel access (PR:L) with network accessibility (AV:N) and low complexity (AC:L). No public exploit identified at time of analysis, though VulnCheck published technical analysis. This represents a supply-chain or insider-threat risk where compromised admin credentials or malicious insiders could achieve complete server compromise.

Technical ContextAI

XenForo is a PHP-based forum software platform. This vulnerability stems from CWE-94 (Improper Control of Generation of Code / Code Injection), indicating inadequate input validation or sanitization of data processed by authenticated administrators. The admin panel likely accepts user-controlled input that is subsequently evaluated or executed as code without sufficient restrictions. Given the PHP ecosystem typical to XenForo (cpe:2.3:a:xenforo:xenforo), this could involve unsafe use of functions like eval(), unserialize(), or template engine exploits that permit code injection when admin-level users supply crafted payloads. The CVSS vector confirms network-accessible exploitation with no user interaction required once admin access is obtained.

RemediationAI

Upgrade immediately to XenForo 2.3.9 or later for 2.3.x installations, or XenForo 2.2.18 or later for 2.2.x installations per the official vendor security advisory at https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/. No workarounds are documented; patching is the only confirmed mitigation. As an interim risk reduction measure, organizations should audit admin user accounts, enforce strong authentication with MFA for admin panel access, monitor admin activity logs for suspicious behavior, and restrict admin panel access to trusted IP ranges via firewall rules or web application firewall policies. Review and revoke unnecessary admin privileges following least-privilege principles.

CVE-2024-38458 HIGH POC
8.8 Jun 16

Xenforo before 2.2.16 allows code injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2024-38457 HIGH POC
8.8 Jun 16

Xenforo before 2.2.16 allows CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authen

CVE-2025-71279 CRITICAL
9.3 Apr 01

Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unaut

CVE-2021-43032 MEDIUM POC
4.8 Nov 03

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertisi

CVE-2025-71281 HIGH
8.7 Apr 01

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through

CVE-2025-71278 HIGH
8.7 Apr 01

OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to req

CVE-2025-71282 HIGH
8.7 Apr 01

XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by

CVE-2024-25006 HIGH
8.1 Feb 29

XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to adm

CVE-2025-71280 MEDIUM
6.9 Apr 01

XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account page

CVE-2026-35057 MEDIUM
5.1 Apr 01

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious

CVE-2026-35055 MEDIUM
5.1 Apr 01

Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious

CVE-2026-35054 MEDIUM
5.1 Apr 01

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts throu

Share

EUVD-2026-17743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy