Description
XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.
Published: 2026-04-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting allowing malicious script execution for users viewing content
Action: Patch
AI Analysis

Impact

This vulnerability is a stored cross-site scripting flaw residing in structured text mentions of XenForo versions prior to 2.3.10 and 2.2.19. An attacker can embed malicious script code into a mention that is then saved to the database. When other users view the content, the script executes in their browsers, potentially allowing an attacker to steal session data, deface pages, or perform other client‑side attacks. The weakness is classified as CWE‑79.

Affected Systems

The affected software is XenForo, specifically any releases older than 2.3.10 and older than 2.2.19. Users running those legacy versions are susceptible to the flaw.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation at present. The attack vector is likely any user who can post structured text content; by inserting a crafted mention with embedded script, the attacker can compromise any other user who views the posts. The exploitation requires access to write or edit profile post content, which may be limited to registered users or administrators.

Generated by OpenCVE AI on April 1, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XenForo to version 2.3.10 or later, or 2.2.19 or later, to eliminate the stored XSS flaw.
  • If upgrading is delayed, restrict permission to create or edit structured text mentions to trusted users only.
  • Apply input filtering or sanitization on legacy profile post content to remove or escape malicious script code.

Generated by OpenCVE AI on April 1, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
References

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.
Title XenForo Stored Cross-Site Scripting via Structured Text Mentions
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-79
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T13:19:02.344Z

Reserved: 2026-04-01T00:19:59.194Z

Link: CVE-2026-35057

cve-icon Vulnrichment

Updated: 2026-04-01T13:18:59.052Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:41.790

Modified: 2026-04-01T16:24:40.283

Link: CVE-2026-35057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:39Z

Weaknesses