XenForo 2.3.7 Fixes Passkey Authentication Bypass and Path Disclosure Flaws
XenForo released fixes in version 2.3.7 for two newly disclosed vulnerabilities affecting earlier versions of the forum platform. The more severe issue, tracked as CVE-2025-71279, is a CWE-287 authentication weakness involving passkeys added to user accounts that could allow an unauthenticated remote attacker to compromise passkey-based authentication. The flaw carries a CVSS 3.1 rating of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact across confidentiality, integrity, and availability.
A second flaw, CVE-2025-71282, is a CWE-209 information disclosure bug that can expose filesystem paths through exception messages triggered by open_basedir restrictions. That issue affects XenForo versions before 2.3.7 and could help attackers map a server's directory structure, with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Advisory references and the XenForo release notice indicate that upgrading to 2.3.7 addresses both vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2025-71282 published for XenForo path disclosure issue
A CVE entry was published for a XenForo information disclosure flaw in versions before 2.3.7 that could reveal filesystem paths through open_basedir exception messages. The issue was classified as CWE-209 and described as a network-accessible confidentiality-impacting vulnerability.
CVE-2025-71279 recorded for XenForo passkey security bypass
A CVE entry was recorded for a XenForo vulnerability affecting passkeys on user accounts in versions before 2.3.7. The issue was classified as CWE-287 and described as a remotely exploitable authentication-related flaw with high impact.
XenForo 2.3.7 released with security fixes
XenForo released version 2.3.7, and the release notice indicated it included fixes for security issues later tracked as CVE-2025-71279 and CVE-2025-71282 affecting versions before 2.3.7.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple XenForo Flaws Expose Forums to RCE, Scope Abuse, and Template Bypass
XenForo disclosed and patched three high-severity vulnerabilities affecting multiple 2.2 and 2.3 releases, including **remote code execution**, **OAuth2 authorization abuse**, and a **template method call restriction bypass**. The most severe issue, `CVE-2026-35056`, allows an authenticated but malicious administrator with admin control panel access to execute arbitrary code on the server, affecting versions before **2.3.9** and **2.2.18**. The flaw is classified as `CWE-94` and carries a high-impact CVSS vector indicating compromise of confidentiality, integrity, and availability. Two additional XenForo flaws affect authorization controls in the platform. `CVE-2025-71278` impacts versions before **2.3.5** and allows OAuth2 client applications to request unauthorized scopes, potentially granting access beyond intended permissions; it is mapped to `CWE-863`. `CVE-2025-71281` affects versions before **2.3.7** and stems from a loose prefix match in template callback and variable method-call handling, enabling unauthorized method invocation from templates. XenForo addressed the issues in security releases **2.3.5**, **2.3.7**, **2.3.9**, and **2.2.18**, with advisories also published by VulnCheck.
Apr 1, 2026
Xen Advisories Disclose Linux Guest Kernel Flaws Enabling Privilege Escalation
Xen has disclosed two Linux guest kernel vulnerabilities affecting virtualized environments, warning that both issues require patching and have no known mitigations. **CVE-2026-31786** (`XSA-485`) affects Linux kernels **4.13 and later** in Xen domains through unsafe handling of the binary build ID exposed at `/sys/hypervisor/properties/buildid`. The bug uses `sprintf()` on a non-null-terminated binary value, which can trigger an out-of-bounds read and, in rare cases, a write past the 4 KB sysfs buffer, potentially leading to **information disclosure, denial of service, or privilege escalation** inside Linux Xen guests. A second advisory, **CVE-2026-31787** (`XSA-487`), describes a **double-free** flaw in the Linux **Xen `privcmd` driver** that allows a **root user in a Linux guest** to bypass kernel lockdown protections tied to secure boot. Xen said the issue affects Linux **PVH or HVM domains** on **x86 and Arm** from kernel **3.8 onward**, while PV domains and non-Linux guests are not affected. The vulnerabilities were reported by **Frediano Ziglio of XenServer** and **Atharva Vartak (@0xAth4rv)**, respectively, and Xen urged operators to apply the supplied Linux patches.
Apr 30, 2026
Connect-CMS flaws allow arbitrary profile changes and stored XSS
Connect-CMS disclosed two high-severity vulnerabilities affecting **all 1.x and 2.x releases through `1.41.0` and `2.41.0`**. The first, **`CVE-2026-32300`**, is an improper authorization issue in the **My Page profile update** feature that can let an authenticated attacker modify arbitrary user information. The flaw is mapped to **`CWE-285`** and **`CWE-639`** and carries a **CVSS 3.1** vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N`, indicating high confidentiality and integrity impact without requiring user interaction. The second issue, **`CVE-2026-32278`**, is a **stored cross-site scripting (XSS)** vulnerability in the **Form Plugin** file field. It is mapped in the advisory to **`CWE-434`** and has a **CVSS 3.1** vector of `AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L`, reflecting the potential for attacker-supplied content to execute in users' browsers after interaction. Both vulnerabilities were fixed in **`1.41.1`** and **`2.41.1`**, with advisories pointing to the relevant patch commit, release tags, and GitHub Security Advisory entries.
Mar 24, 2026