CVE-2025-71278

HIGH CVSS 8.8 View on NVD ↗

Description

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

xenforo/xenforo

References

https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request
https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/

Published: Apr 01, 2026 01:16 UTC Modified: Apr 01, 2026 18:51 UTC