CVE-2025-71278 | THREATINT

Description

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.

PUBLISHED Reserved 2026-04-01 | Published 2026-04-01 | Updated 2026-04-01 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Incorrect Authorization

Product status

2.3.0 (semver) before 2.3.5

affected

References

xenforo.com/...ncludes-security-fix-add-ons-released.228812/ (XenForo 2.3.5 (Includes Security Fix) & Add-ons Released) vendor-advisory patch

www.vulncheck.com/...nforo-oauth2-unauthorized-scope-request (VulnCheck Advisory: XenForo OAuth2 Unauthorized Scope Request) third-party-advisory

cve.org (CVE-2025-71278)

nvd.nist.gov (CVE-2025-71278)

Download JSON