CVE-2026-35056KEVEXPLOITEDPATCHED

xenforo

XenForo Remote Code Execution via Authenticated Admin

Description

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

Affected Products

Vendor	Product	Versions
xenforo	—	2.3.0, 0

References

https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/(vendor-advisory, patch)
https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin(third-party-advisory)

Related News (1 articles)

Tier C

VulDB13h ago

CVE-2026-35056 | XenForo up to 2.2.17/2.3.8 code injection

→ No new info (linked only)

CVSS 3.18.8 NONE

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

2.3.92.2.18

CWECWE-94

PublishedApr 1, 2026

Last enriched13h agov2

Trending Score84

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2025-71282EXP

XenForo Path Disclosure via open_basedir Exceptions

Trending: 47

NONECVE-2026-35057EXP

XenForo Stored Cross-Site Scripting via Structured Text Mentions

Trending: 45

NONECVE-2026-35055EXP

XenForo Cross-Site Scripting via Lightbox in Posts

Trending: 37

NONECVE-2024-58342EXP

XenForo Open Redirect via getDynamicRedirect

Trending: 37

NONECVE-2025-71281EXP

XenForo Template Method Call Restriction Bypass

Trending: 37

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Added to CISA KEV

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: affectedVersions, severity

Apr 1, 2026

Actively Exploited

Apr 1, 2026

Patch Available

Apr 1, 2026

Version History

Last enriched 13h ago

v2Tier C13h ago

Updated affected versions to include 2.2.17 and 2.3.8, changed severity to CRITICAL, and noted that no exploit is available.

affectedVersionsseverity

via VulDB

v114h ago

Initial creation