CVE-2026-35056

HIGH EXPLOITED

XenForo Remote Code Execution via Authenticated Admin

Title source: cna

Description

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

References (2)

[Vendor Advisory] https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/

[Third Party Advisory] https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin

Scores

CVSS v3 7.2

EPSS 0.0043

EPSS Percentile 62.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-03-30

CWE

CWE-94

Status published

Products (3)

XenForo/XenForo < 2.2.18

xenforo/xenforo < 2.2.18

XenForo/XenForo 2.3.0 - 2.3.9

Published Apr 01, 2026

Tracked Since Apr 01, 2026