Description
XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure.
Published: 2026-04-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure of server directory paths
Action: Immediate Patch
AI Analysis

Impact

XenForo versions before 2.3.7 emit exception messages when open_basedir restrictions are triggered. These messages contain absolute filesystem paths, thereby revealing the layout of the server’s directories. An attacker can use this information to map the underlying file system and identify potential targets for further attacks. The weakness falls under the category of information disclosure.

Affected Systems

The affected product is XenForo forum software before version 2.3.7. All earlier releases are impacted.

Risk and Exploitability

The vulnerability has a high severity rating, with a score of 8.7. No exploitation probability score is available, and the issue is not in the Known Exploited Vulnerabilities catalog. The likely attack path is through the web interface; any request that triggers an open_basedir exception will cause the server to return the detailed path information. Thus, unauthenticated or authenticated web traffic can expose directory paths, representing a significant risk to the confidentiality of the server’s file system.

Generated by OpenCVE AI on April 1, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the XenForo update to version 2.3.7 or later to remove the vulnerable exception handling.
  • If an immediate patch is not feasible, configure PHP to suppress or hide open_basedir exception messages so they are not sent to users.
  • Restrict the open_basedir setting in the PHP configuration to only the directories required by XenForo.
  • After remediation, verify that no path disclosure messages appear and monitor logs for attempts to access files outside the allowed directories.

Generated by OpenCVE AI on April 1, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure.
Title XenForo Path Disclosure via open_basedir Exceptions
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-209
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T12:21:37.653Z

Reserved: 2026-04-01T00:19:58.852Z

Link: CVE-2025-71282

cve-icon Vulnrichment

Updated: 2026-04-01T12:21:32.753Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:40.797

Modified: 2026-04-01T18:53:29.363

Link: CVE-2025-71282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:43Z

Weaknesses