CVE-2026-35054
MEDIUMXenForo Stored Cross-Site Scripting via BB Code Rendering
Title source: cnaDescription
XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
patch
XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)
https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/
Third Party Advisory third-party-advisory
VulnCheck Advisory: XenForo Stored Cross-Site Scripting via BB Code Rendering
https://www.vulncheck.com/advisories/xenforo-stored-cross-site-scripting-via-bb-code-rendering
Scores
CVSS v3
6.4
EPSS
0.0014
EPSS Percentile
3.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
xenforo/xenforo
< 2.3.9
XenForo/XenForo
2.3.0 - 2.3.9
Published
Apr 01, 2026
Tracked Since
Apr 01, 2026