CVE-2026-35056

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin	Third Party Advisory
https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xenforo:xenforo::::::::
	cpe:2.3:a:xenforo:xenforo::::::::

History

01 Apr 2026, 18:55

Type	Values Removed	Values Added
References	~~() https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin -~~	() https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin - Third Party Advisory
References	~~() https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/ -~~	() https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/ - Release Notes
First Time		Xenforo Xenforo xenforo
CPE		cpe:2.3:a:xenforo:xenforo::::::::
Summary		(es) XenForo anterior a 2.3.9 y anterior a 2.2.18 permite la ejecución remota de código (RCE) por usuarios administradores autenticados, pero maliciosos. Un atacante con acceso al panel de administración puede ejecutar código arbitrario en el servidor.

01 Apr 2026, 14:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 7.2

01 Apr 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-01 01:16

Updated : 2026-04-01 18:55

NVD link : CVE-2026-35056

Mitre link : CVE-2026-35056

CVE.ORG link : CVE-2026-35056

JSON object : View

Products Affected

xenforo

xenforo

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-35056", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-01T01:16:41.593", "references": [{"url": "https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server."}, {"lang": "es", "value": "XenForo anterior a 2.3.9 y anterior a 2.2.18 permite la ejecuci\u00f3n remota de c\u00f3digo (RCE) por usuarios administradores autenticados, pero maliciosos. Un atacante con acceso al panel de administraci\u00f3n puede ejecutar c\u00f3digo arbitrario en el servidor."}], "lastModified": "2026-04-01T18:55:19.097", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78F0F9B0-9777-4266-83FF-74BEF672AAE8", "versionEndExcluding": "2.2.18"}, {"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F317C8A1-B2B0-4C3C-AFEE-8B1050F38744", "versionEndExcluding": "2.3.9", "versionStartIncluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}