CVE-2026-35057
MEDIUMXenForo Stored Cross-Site Scripting via Structured Text Mentions
Title source: cnaDescription
XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
patch
XenForo 2.3.10 & Add-ons and 2.2.19 Released (Includes Security Fix)
https://xenforo.com/community/threads/xenforo-2-3-10-add-ons-and-2-2-19-released-includes-security-fix.236249/
Exploit exploit
XenForo 2.x Stored XSS via Placeholder Collision PoC
https://github.com/methosiea/xenforo-2-xss
Scores
CVSS v3
6.4
EPSS
0.0016
EPSS Percentile
6.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
XenForo/XenForo
< 2.2.19
xenforo/xenforo
< 2.2.19
XenForo/XenForo
2.3.0 - 2.3.10
Published
Apr 01, 2026
Tracked Since
Apr 01, 2026