Description
XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.
Published: 2026-04-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in XenForo versions prior to 2.3.7 permits a call to methods from within templates without the stricter first-word check that should limit them. This omission lets an attacker invoke arbitrary functions that are normally protected, which can lead to code execution or other unauthorized actions. The weakness is a code injection issue identified as CWE‑94, reflecting an improper validation of code that causes unintended functionality.

Affected Systems

The vulnerability affects the XenForo forum software, specifically installations running any version before 2.3.7. Administrators of these sites, including custom‑template developers, are potentially vulnerable if they allow template editing by non‑trusted users or have exposed template files. The issue stems from the server‑side template rendering engine that processes user‑supplied content.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high severity, and the absence of an EPSS score or KEV listing suggests that exploitation is possible but no publicly confirmed exploits are documented. The likely attack vector is via crafting a template or post that includes a malicious method call, which would be processed on the server as part of rendering. Successful exploitation would grant the attacker elevated privileges or arbitrary code execution depending on the methods available in the environment.

Generated by OpenCVE AI on April 1, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XenForo to version 2.3.7 or later to apply the fix for the template method call restriction.
  • Audit existing templates for unsafe method calls and replace or remove them before upgrading if necessary.
  • Restrict template editing rights to trusted administrators only and disable public editing to prevent malicious input until the update is applied.

Generated by OpenCVE AI on April 1, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.
Title XenForo Template Method Call Restriction Bypass
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-94
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-03T16:43:31.485Z

Reserved: 2026-04-01T00:19:58.851Z

Link: CVE-2025-71281

cve-icon Vulnrichment

Updated: 2026-04-03T16:43:28.174Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:40.590

Modified: 2026-04-01T18:52:54.050

Link: CVE-2025-71281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:44Z

Weaknesses