CVE-2026-35057 | THREATINT

Description

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.

PUBLISHED Reserved 2026-04-01 | Published 2026-04-01 | Updated 2026-05-24 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

2.3.0 (semver) before 2.3.10

affected

Any version before 2.2.19

affected

Credits

metho finder

References

xenforo.com/...2-2-19-released-includes-security-fix.236249/ (XenForo 2.3.10 & Add-ons and 2.2.19 Released (Includes Security Fix)) vendor-advisory patch

github.com/methosiea/xenforo-2-xss (XenForo 2.x Stored XSS via Placeholder Collision PoC) exploit

cve.org (CVE-2026-35057)

nvd.nist.gov (CVE-2026-35057)

Download JSON