Description
XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
VulnCheck Advisory: XenForo Cross-Site Scripting via Lightbox in Posts
https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts
Vendor Advisory vendor-advisory
patch
XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)
https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/
Scores
CVSS v3
6.1
EPSS
0.0015
EPSS Percentile
4.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
XenForo/XenForo
< 2.2.18
xenforo/xenforo
< 2.2.18
XenForo/XenForo
2.3.0 - 2.3.9
Published
Apr 01, 2026
Tracked Since
Apr 01, 2026