Vulnerability Description
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
CVSS Score
7.2
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xenforo | Xenforo | < 2.2.18 |
Related Weaknesses (CWE)
References
- https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticThird Party Advisory
- https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-secRelease Notes
FAQ
What is CVE-2026-35056?
CVE-2026-35056 is a vulnerability with a CVSS score of 7.2 (HIGH). XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
How severe is CVE-2026-35056?
CVE-2026-35056 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35056?
Check the references section above for vendor advisories and patch information. Affected products include: Xenforo Xenforo.