CVE-2026-35055

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts	Third Party Advisory
https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xenforo:xenforo::::::::
	cpe:2.3:a:xenforo:xenforo::::::::

History

01 Apr 2026, 18:55

Type	Values Removed	Values Added
CPE		cpe:2.3:a:xenforo:xenforo::::::::
Summary		(es) XenForo anterior a 2.3.9 y anterior a 2.2.18 es vulnerable a cross-site scripting (XSS) relacionado con el uso de lightbox en publicaciones. Un atacante puede inyectar scripts maliciosos que se ejecutan cuando los usuarios interactúan con el contenido de la publicación mostrado en el lightbox.
First Time		Xenforo Xenforo xenforo
References	~~() https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts -~~	() https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts - Third Party Advisory
References	~~() https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/ -~~	() https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/ - Release Notes

01 Apr 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-01 01:16

Updated : 2026-04-01 18:55

NVD link : CVE-2026-35055

Mitre link : CVE-2026-35055

CVE.ORG link : CVE-2026-35055

JSON object : View

Products Affected

xenforo

xenforo

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-35055", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-01T01:16:41.397", "references": [{"url": "https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox."}, {"lang": "es", "value": "XenForo anterior a 2.3.9 y anterior a 2.2.18 es vulnerable a cross-site scripting (XSS) relacionado con el uso de lightbox en publicaciones. Un atacante puede inyectar scripts maliciosos que se ejecutan cuando los usuarios interact\u00faan con el contenido de la publicaci\u00f3n mostrado en el lightbox."}], "lastModified": "2026-04-01T18:55:13.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78F0F9B0-9777-4266-83FF-74BEF672AAE8", "versionEndExcluding": "2.2.18"}, {"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F317C8A1-B2B0-4C3C-AFEE-8B1050F38744", "versionEndExcluding": "2.3.9", "versionStartIncluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}