Description
XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.
Published: 2026-04-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting in post lightboxes
Action: Patch
AI Analysis

Impact

A flaw in XenForo allows attackers to embed malicious scripts that run when a user opens a post image or media in a lightbox. The vulnerability is a classic stored cross‑site scripting (CWE‑79) that can lead to cookie theft, session hijacking, or malicious redirection. It does not provide direct code execution on the server, but it can compromise any site visitor’s browser context while interacting with the vulnerable posts.

Affected Systems

Users running XenForo editions prior to 2.3.9 and XenForo 2.2.18 are affected. The issue specifically involves the lightbox feature used to display images or media embedded in forum posts. Any forum or community site that has not applied newer patches is at risk.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS data is not available, but the vulnerability is not listed in the CISA KEV catalog, implying no widely known active exploits yet. The attack requires an attacker to post malicious content or otherwise influence post media; once a victim opens the lightbox, the injected script executes. This makes it relatively easy to exploit in an environment where user‑generated content is displayed.

Generated by OpenCVE AI on April 1, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current XenForo version on the installation. If it is older than 2.3.9 or 2.2.18, download and install the official security patch or upgrade to a newer version of XenForo. Once updated, thoroughly test the forum’s functionality, ensuring that post lightboxes no longer allow script injection. If an immediate upgrade is not possible, limit user ability to embed media or restrict permissions for posting external links until a patch can be applied.

Generated by OpenCVE AI on April 1, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.
Title XenForo Cross-Site Scripting via Lightbox in Posts
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-79
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T15:51:58.760Z

Reserved: 2026-04-01T00:19:59.194Z

Link: CVE-2026-35055

cve-icon Vulnrichment

Updated: 2026-04-01T14:55:19.525Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:41.397

Modified: 2026-04-01T18:55:13.727

Link: CVE-2026-35055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:41Z

Weaknesses