Description
XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multiple users share a browser or machine, cached account pages could expose sensitive user information to other local users.
Published: 2026-04-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive user information disclosure via cached local account pages
Action: Apply Update
AI Analysis

Impact

XenForo installations older than version 2.3.7 store full account pages in the browser cache on shared systems. A local user who has access to the same machine or browser session can read those cached pages and obtain personal or sensitive information about other users, representing a confidentiality breach. The weakness is classified as an Information Disclosure (CWE‑200).

Affected Systems

The vulnerability exists in XenForo forum software for all versions earlier than 2.3.7. Customers using the XenForo platform without upgrading to 2.3.7 or later are affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity. Exploitability is limited to local users with access to the host or shared browser; no network or remote attack vector is documented. The EPSS score is missing, and the issue is not in the CISA KEV list, suggesting lower current exploitation risk. Nonetheless, any local attacker can trigger the disclosure by simply accessing the cached account page.

Generated by OpenCVE AI on April 1, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install XenForo 2.3.7 or later to eliminate the caching issue.
  • If an upgrade is not immediately possible, configure the web server or application to disable caching for user account pages.
  • Verify that no cached pages remain by clearing browser caches on all shared machines.
  • Monitor XenForo security advisories for additional patches or workarounds.

Generated by OpenCVE AI on April 1, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multiple users share a browser or machine, cached account pages could expose sensitive user information to other local users.
Title XenForo Local Account Page Caching Information Disclosure
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-200
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T13:20:08.426Z

Reserved: 2026-04-01T00:19:58.851Z

Link: CVE-2025-71280

cve-icon Vulnrichment

Updated: 2026-04-01T13:20:01.442Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:40.393

Modified: 2026-04-01T18:52:12.647

Link: CVE-2025-71280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:45Z

Weaknesses