Known Vulnerabilities for products from XenForo
Listed below are 11 of the newest known vulnerabilities associated with the vendor "XenForo".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-35057 json | XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, prima... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2026-35056 json | Not Provided | 2026-04-01 | 2026-04-01 | |
| CVE-2026-35055 json | Not Provided | 2026-04-01 | 2026-04-01 | |
| CVE-2026-35054 json | XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject ... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71282 json | XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allow... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71281 json | XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71280 json | XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multipl... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71279 json | XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be a... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2025-71278 json | XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2024-58342 json | XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect() function does not ... | Not Provided | 2026-04-01 | 2026-04-01 |
| CVE-2021-43032 json | In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising fu... | 4.8 - MEDIUM | 2021-11-03 | 2021-11-05 |