Skip to main content

Xenforo

9 CVEs product

Monthly

CVE-2026-35057 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious scripts through crafted structured text mentions in profile posts, which are executed when other users view the affected content. The vulnerability has a CVSS score of 5.1 with low attack complexity and requires user interaction (viewing the malicious post), making it a moderate-risk concern for XenForo communities. Publicly available exploit code has been identified, and vendor patches have been released.

XSS Xenforo
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35056 HIGH PATCH This Week

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbitrary code on the server. Attack requires low-privilege admin panel access (PR:L) with network accessibility (AV:N) and low complexity (AC:L). No public exploit identified at time of analysis, though VulnCheck published technical analysis. This represents a supply-chain or insider-threat risk where compromised admin credentials or malicious insiders could achieve complete server compromise.

RCE Code Injection Xenforo
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-35055 MEDIUM PATCH This Month

Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious scripts that execute in the context of other users' browsers when interacting with post content displayed via lightbox. Versions before 2.3.9 and 2.2.18 are affected. The vulnerability requires user interaction (clicking or hovering on lightbox elements) and has limited scope, affecting only session integrity and information disclosure rather than system availability or confidentiality of sensitive data.

XSS Xenforo
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-35054 MEDIUM PATCH This Month

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts through BB code that persist in the application and execute when other users view the affected content. The vulnerability requires user interaction (viewing the malicious post) and authenticated access to create content, limiting its scope but enabling account compromise and session hijacking of affected users.

XSS Xenforo
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-71282 HIGH PATCH This Week

XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by open_basedir PHP restrictions, enabling remote unauthenticated attackers to map internal directory structures. This information disclosure vulnerability (CWE-209) affects XenForo installations and has been addressed in version 2.3.7 with vendor-confirmed security fixes. No public exploit code or active exploitation is identified at time of analysis, though the unauthenticated remote attack vector and low complexity make reconnaissance straightforward for targeted attacks.

Information Disclosure Xenforo
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-71281 HIGH PATCH This Week

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through template callbacks and variable method calls. The vulnerability stems from a loose prefix matching mechanism that permits bypassing intended access restrictions, enabling attackers with low-privilege accounts to achieve high-severity impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details have been publicly disclosed by VulnCheck, increasing weaponization risk.

RCE Code Injection Xenforo
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-71280 MEDIUM PATCH This Month

XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account pages on shared systems. Local users with access to a shared machine or browser can retrieve cached account data belonging to other users who previously accessed XenForo, enabling unauthorized information disclosure without authentication. No public exploit code or active exploitation has been identified; remediation requires upgrading to XenForo 2.3.7 or later.

Information Disclosure Xenforo
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-71279 CRITICAL PATCH Act Now

Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unauthenticated attackers to bypass security controls protecting passkey-enabled user accounts. No public exploit identified at time of analysis, though EPSS data not available. The vulnerability affects a critical authentication mechanism (WebAuthn/passkeys), representing a high-severity threat to forum platforms relying on this modern authentication method.

Authentication Bypass Xenforo
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-71278 HIGH PATCH This Week

OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to request and obtain unauthorized scopes, escalating access beyond intended authorization levels. This authentication bypass flaw (CWE-863) enables malicious OAuth2 clients to gain elevated privileges to user data and platform functions. CVSS 8.7 (High) reflects the network-accessible attack vector with low complexity, though requires low-level privileges (authenticated OAuth client). No public exploit identified at time of analysis, with EPSS data unavailable for recent CVE.

Authentication Bypass Xenforo
NVD
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious scripts through crafted structured text mentions in profile posts, which are executed when other users view the affected content. The vulnerability has a CVSS score of 5.1 with low attack complexity and requires user interaction (viewing the malicious post), making it a moderate-risk concern for XenForo communities. Publicly available exploit code has been identified, and vendor patches have been released.

XSS Xenforo
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbitrary code on the server. Attack requires low-privilege admin panel access (PR:L) with network accessibility (AV:N) and low complexity (AC:L). No public exploit identified at time of analysis, though VulnCheck published technical analysis. This represents a supply-chain or insider-threat risk where compromised admin credentials or malicious insiders could achieve complete server compromise.

RCE Code Injection Xenforo
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious scripts that execute in the context of other users' browsers when interacting with post content displayed via lightbox. Versions before 2.3.9 and 2.2.18 are affected. The vulnerability requires user interaction (clicking or hovering on lightbox elements) and has limited scope, affecting only session integrity and information disclosure rather than system availability or confidentiality of sensitive data.

XSS Xenforo
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts through BB code that persist in the application and execute when other users view the affected content. The vulnerability requires user interaction (viewing the malicious post) and authenticated access to create content, limiting its scope but enabling account compromise and session hijacking of affected users.

XSS Xenforo
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by open_basedir PHP restrictions, enabling remote unauthenticated attackers to map internal directory structures. This information disclosure vulnerability (CWE-209) affects XenForo installations and has been addressed in version 2.3.7 with vendor-confirmed security fixes. No public exploit code or active exploitation is identified at time of analysis, though the unauthenticated remote attack vector and low complexity make reconnaissance straightforward for targeted attacks.

Information Disclosure Xenforo
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through template callbacks and variable method calls. The vulnerability stems from a loose prefix matching mechanism that permits bypassing intended access restrictions, enabling attackers with low-privilege accounts to achieve high-severity impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details have been publicly disclosed by VulnCheck, increasing weaponization risk.

RCE Code Injection Xenforo
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account pages on shared systems. Local users with access to a shared machine or browser can retrieve cached account data belonging to other users who previously accessed XenForo, enabling unauthorized information disclosure without authentication. No public exploit code or active exploitation has been identified; remediation requires upgrading to XenForo 2.3.7 or later.

Information Disclosure Xenforo
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unauthenticated attackers to bypass security controls protecting passkey-enabled user accounts. No public exploit identified at time of analysis, though EPSS data not available. The vulnerability affects a critical authentication mechanism (WebAuthn/passkeys), representing a high-severity threat to forum platforms relying on this modern authentication method.

Authentication Bypass Xenforo
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to request and obtain unauthorized scopes, escalating access beyond intended authorization levels. This authentication bypass flaw (CWE-863) enables malicious OAuth2 clients to gain elevated privileges to user data and platform functions. CVSS 8.7 (High) reflects the network-accessible attack vector with low complexity, though requires low-level privileges (authenticated OAuth client). No public exploit identified at time of analysis, with EPSS data unavailable for recent CVE.

Authentication Bypass Xenforo
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy