CVE-2026-35057

MEDIUM

XenForo Stored Cross-Site Scripting via Structured Text Mentions

Title source: cna

Description

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.

References (2)

[Vendor Advisory] https://xenforo.com/community/threads/xenforo-2-3-10-add-ons-and-2-2-19-released-includes-security-fix.236249/

[Exploit] https://github.com/methosiea/xenforo-2-xss

View Exploit ZIP pw:eip

Scores

CVSS v3 6.4

EPSS 0.0003

EPSS Percentile 8.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

XenForo/XenForo < 2.2.19

xenforo/xenforo < 2.2.19

XenForo/XenForo 2.3.0 - 2.3.10

Published Apr 01, 2026

Tracked Since Apr 01, 2026