Description
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
Published: 2026-04-01
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Authenticated Admin Credentials
Action: Immediate Patch
AI Analysis

Impact

A flaw in XenForo’s admin interface allows an authenticated, malicious administrator to execute arbitrary code on the server, turning any admin account into an execution vector. This weakness corresponds to a code injection vulnerability (CWE‑94). Successful exploitation grants a malicious user full control over the hosting environment, jeopardizing confidentiality, integrity, and availability.

Affected Systems

The vulnerability applies to XenForo forum software released before version 2.3.9 or 2.2.18. Any installation running those releases and possessing an admin account is susceptible, regardless of network exposure.

Risk and Exploitability

The flaw scores 8.6 on the CVSS scale, indicating high severity, while the EPSS score is below 1 %, implying a low likelihood of immediate exploitation, and it is not listed in CISA’s KEV catalog. The attack vector is likely confined to the authenticated admin panel, so an attacker must first acquire or trick an admin into logging on; after that, arbitrary code can be run on the server, giving system‑wide privileges.

Generated by OpenCVE AI on April 2, 2026 at 04:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XenForo to version 2.3.9 or later (or to the corresponding 2.2.18 release).
  • Verify that the installation no longer uses the vulnerable versions.
  • Restrict and monitor admin accounts to prevent unauthorized use of the panel.

Generated by OpenCVE AI on April 2, 2026 at 04:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
Title XenForo Remote Code Execution via Authenticated Admin
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-94
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T19:04:59.806Z

Reserved: 2026-04-01T00:19:59.194Z

Link: CVE-2026-35056

cve-icon Vulnrichment

Updated: 2026-04-01T19:04:55.530Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:41.593

Modified: 2026-04-01T18:55:19.097

Link: CVE-2026-35056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:40Z

Weaknesses