Multiple XenForo Flaws Expose Forums to RCE, Scope Abuse, and Template Bypass
XenForo disclosed and patched three high-severity vulnerabilities affecting multiple 2.2 and 2.3 releases, including remote code execution, OAuth2 authorization abuse, and a template method call restriction bypass. The most severe issue, CVE-2026-35056, allows an authenticated but malicious administrator with admin control panel access to execute arbitrary code on the server, affecting versions before 2.3.9 and 2.2.18. The flaw is classified as CWE-94 and carries a high-impact CVSS vector indicating compromise of confidentiality, integrity, and availability.
Two additional XenForo flaws affect authorization controls in the platform. CVE-2025-71278 impacts versions before 2.3.5 and allows OAuth2 client applications to request unauthorized scopes, potentially granting access beyond intended permissions; it is mapped to CWE-863. CVE-2025-71281 affects versions before 2.3.7 and stems from a loose prefix match in template callback and variable method-call handling, enabling unauthorized method invocation from templates. XenForo addressed the issues in security releases 2.3.5, 2.3.7, 2.3.9, and 2.2.18, with advisories also published by VulnCheck.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
VulnCheck receives and publishes three XenForo CVE records
VulnCheck disclosure records for CVE-2025-71278, CVE-2025-71281, and CVE-2026-35056 were newly received on April 1, 2026, documenting the vulnerabilities, affected versions, severity scoring, and references to XenForo security releases.
XenForo 2.2.18 and 2.3.9 fix authenticated admin RCE
XenForo released versions 2.2.18 and 2.3.9 to address CVE-2026-35056, a remote code execution vulnerability that allowed an authenticated malicious admin with admin panel access to execute arbitrary code on the server.
XenForo 2.3.7 fixes template method call restriction bypass
XenForo released version 2.3.7 with a security fix for a vulnerability later tracked as CVE-2025-71281. The flaw affected versions before 2.3.7 and stemmed from loose prefix matching for methods callable from templates, enabling unauthorized method invocations.
XenForo 2.3.5 fixes OAuth2 unauthorized scope request flaw
XenForo released version 2.3.5 with a security fix for an issue later tracked as CVE-2025-71278, which allowed OAuth2 client applications to request unauthorized scopes in XenForo 2.3 versions before 2.3.5.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2025-71278 - XenForo OAuth2 Unauthorized Scope Request
cvefeed.io
Open sourceCVE-2025-71281 - XenForo Template Method Call Restriction Bypass
cvefeed.io
Open sourceCVE-2026-35056 - XenForo Remote Code Execution via Authenticated Admin
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
XenForo 2.3.7 Fixes Passkey Authentication Bypass and Path Disclosure Flaws
XenForo released fixes in version **2.3.7** for two newly disclosed vulnerabilities affecting earlier versions of the forum platform. The more severe issue, tracked as **`CVE-2025-71279`**, is a **CWE-287** authentication weakness involving passkeys added to user accounts that could allow an unauthenticated remote attacker to compromise passkey-based authentication. The flaw carries a **CVSS 3.1** rating of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. A second flaw, **`CVE-2025-71282`**, is a **CWE-209** information disclosure bug that can expose filesystem paths through exception messages triggered by `open_basedir` restrictions. That issue affects XenForo versions before **2.3.7** and could help attackers map a server's directory structure, with a **CVSS 3.1** vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`. Advisory references and the XenForo release notice indicate that upgrading to **2.3.7** addresses both vulnerabilities.
Apr 1, 2026
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Mar 21, 2026
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
Mar 21, 2026