Known Vulnerabilities for products from XenForo
Listed below are 11 of the newest known vulnerabilities associated with the vendor "XenForo".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-35057 | XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, prima... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2026-35056 | Not Provided | 2026-04-01 | 2026-04-01 | |
| CVE-2026-35055 | Not Provided | 2026-04-01 | 2026-04-01 | |
| CVE-2026-35054 | XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject ... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71282 | XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allow... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71281 | XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71280 | XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multipl... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71279 | XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be a... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71278 | XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2024-58342 | XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect() function does not ... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2021-43032 | In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising fu... | 4.8 - MEDIUM | 2021-11-03 | 2021-11-05 |