CVE-2026-35056
HIGH EXPLOITEDXenForo Remote Code Execution via Authenticated Admin
Title source: cnaExploitation Summary
CVE-2026-35056 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
patch
XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)
https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/
Third Party Advisory third-party-advisory
VulnCheck Advisory: XenForo Remote Code Execution via Authenticated Admin
https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin
Scores
CVSS v3
7.2
EPSS
0.0067
EPSS Percentile
46.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2026-03-30
CWE
CWE-94
Status
published
Products (3)
XenForo/XenForo
< 2.2.18
xenforo/xenforo
< 2.2.18
XenForo/XenForo
2.3.0 - 2.3.9
Published
Apr 01, 2026
Tracked Since
Apr 01, 2026