CVE-2026-35056

HIGH CVSS 7.2 View on NVD ↗

Description

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected Products

xenforo/xenforo

References

https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin
https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/

Published: Apr 01, 2026 01:16 UTC Modified: Apr 01, 2026 18:55 UTC