XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other u

Description

XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.

Affected Products

Vendor	Product	Versions
xenforo	xenforo	< 2.3.9

References

CVSS 3.16.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

2.3.9

CWECWE-79

PublishedApr 1, 2026

Last enriched3d ago

Trending Score0

Source articles0

Independent0

Info Completeness5/14

Missing: vendor, product, versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2025-71279

XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.

MEDIUMCVE-2024-58342

XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect() function does not adequately validate the redirect target, allowing attackers to redirect use

HIGHCVE-2025-71278

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing

MEDIUMCVE-2025-71280

XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multiple users share a browser or machine, cached account pages could expose sensi

MEDIUMCVE-2026-35055

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with po

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Patch Available

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026