CVE-2026-35057EXPLOITEDPATCHED

xenforo · xenforo

XenForo Stored Cross-Site Scripting via Structured Text Mentions

Description

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.

Affected Products

Vendor	Product	Versions
xenforo	xenforo	2.3.0, 0

References

https://xenforo.com/community/threads/xenforo-2-3-10-add-ons-and-2-2-19-released-includes-security-fix.236249/(vendor-advisory, patch)
https://github.com/methosiea/xenforo-2-xss(exploit)

Related News (1 articles)

Tier C

VulDB15h ago

CVE-2026-35057 | XenForo up to 2.2.18/2.3.9 Mentions cross site scripting

→ No new info (linked only)

CVSS 3.16.4 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.3.102.2.19

CWECWE-79

PublishedApr 1, 2026

Last enriched15h agov2

Trending Score44

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-35056EXPKEV

XenForo Remote Code Execution via Authenticated Admin

Trending: 83

NONECVE-2025-71282EXP

XenForo Path Disclosure via open_basedir Exceptions

Trending: 46

NONECVE-2026-35055EXP

XenForo Cross-Site Scripting via Lightbox in Posts

Trending: 37

NONECVE-2024-58342EXP

XenForo Open Redirect via getDynamicRedirect

Trending: 37

NONECVE-2025-71281EXP

XenForo Template Method Call Restriction Bypass

Trending: 37

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 1, 2026

Actively Exploited

Apr 1, 2026

Patch Available

Apr 1, 2026

Version History

Last enriched 15h ago

v2Tier C15h ago

Updated affected versions to 2.2.18 and 2.3.9, changed severity to HIGH, and noted that the exploit is not available but the vulnerability is actively exploited.

affectedVersionsseverityactivelyExploited

via VulDB

v116h ago

Initial creation