CVE-2026-35056 | THREATINT

Description

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

PUBLISHED Reserved 2026-04-01 | Published 2026-04-01 | Updated 2026-05-25 | Assigner VulnCheck

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

Default status

unaffected

2.3.0 (semver) before 2.3.9

affected

Any version before 2.2.18

affected

Credits

UwU finder

References

xenforo.com/...inc-xfmg-2-2-18-released-security-fix.235659/ (XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)) vendor-advisory patch

www.vulncheck.com/...-code-execution-via-authenticated-admin (VulnCheck Advisory: XenForo Remote Code Execution via Authenticated Admin) third-party-advisory

cve.org (CVE-2026-35056)

nvd.nist.gov (CVE-2026-35056)

Download JSON