CVE-2026-35054 | THREATINT

Description

XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.

PUBLISHED Reserved 2026-04-01 | Published 2026-04-01 | Updated 2026-05-24 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

2.3.0 (semver) before 2.3.9

affected

Credits

Antisocial finder

References

xenforo.com/...inc-xfmg-2-2-18-released-security-fix.235659/ (XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)) vendor-advisory patch

www.vulncheck.com/...ss-site-scripting-via-bb-code-rendering (VulnCheck Advisory: XenForo Stored Cross-Site Scripting via BB Code Rendering) third-party-advisory

cve.org (CVE-2026-35054)

nvd.nist.gov (CVE-2026-35054)

Download JSON