Description
XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.
Published: 2026-04-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

XenForo before version 2.3.9 allows an attacker to embed malicious scripts into posts by using BB code. The scripts are stored in the database and are executed whenever another user views the content, creating a stored cross‑site scripting (XSS) vulnerability identified as CWE‑79. This flaw can enable cookie theft, forum defacement, or redirection to malicious sites, affecting all users who view the compromised posts.

Affected Systems

The vulnerability impacts all installations of XenForo running any version prior to 2.3.9 that have BB code rendering enabled for user posts. The affected product is XenForo’s forum platform, and any instance that permits user‑generated BB code is potentially vulnerable. No specific sub‑version details beyond the 2.3.9 cutoff are listed.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity level. With no EPSS score available and the vulnerability not listed in the CISA KEV catalog, current exploitation is plausible but not yet widespread. The attack path is inferred to involve an attacker submitting a post containing malicious BB code; any visitor to the post will trigger the stored XSS. No authentication prerequisites are mentioned, implying that anyone who can post with BB code can potentially exploit the system. Until the issue is patched, the risk remains moderate, especially in high‑traffic forums where many users may be exposed to the compromised content.

Generated by OpenCVE AI on April 1, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update XenForo to version 2.3.9 or later

Generated by OpenCVE AI on April 1, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.
Title XenForo Stored Cross-Site Scripting via BB Code Rendering
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-79
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T13:37:39.225Z

Reserved: 2026-04-01T00:19:59.194Z

Link: CVE-2026-35054

cve-icon Vulnrichment

Updated: 2026-04-01T13:37:28.687Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:41.200

Modified: 2026-04-01T18:51:19.460

Link: CVE-2026-35054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:42Z

Weaknesses