{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-71279", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-01T00:19:58.851Z", "datePublished": "2026-04-01T00:30:09.227Z", "dateUpdated": "2026-04-01T19:00:09.950Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T01:43:19.629Z"}, "datePublic": "2025-07-15T00:00:00.000Z", "title": "XenForo Passkey Security Bypass", "descriptions": [{"lang": "en", "value": "XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Authentication", "cweId": "CWE-287", "type": "CWE"}]}], "affected": [{"vendor": "XenForo", "product": "XenForo", "versions": [{"version": "2.3.0", "lessThan": "2.3.7", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.7"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/", "name": "XenForo 2.3.7 Released (Includes Security Fixes)", "tags": ["vendor-advisory", "patch"]}, {"name": "VulnCheck Advisory: XenForo Passkey Security Bypass", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-passkey-security-bypass"}], "credits": [{"lang": "en", "value": "Jai Niresh J", "type": "finder"}, {"lang": "en", "value": "Hypixel Inc.", "type": "coordinator"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:59:48.304572Z", "id": "CVE-2025-71279", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:00:09.950Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-71279", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T18:59:48.304572Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:59:57.219Z"}}], "cna": {"title": "XenForo Passkey Security Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Jai Niresh J"}, {"lang": "en", "type": "coordinator", "value": "Hypixel Inc."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "XenForo", "product": "XenForo", "versions": [{"status": "affected", "version": "2.3.0", "lessThan": "2.3.7", "versionType": "semver"}]}], "datePublic": "2025-07-15T00:00:00.000Z", "references": [{"url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/", "name": "XenForo 2.3.7 Released (Includes Security Fixes)", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/xenforo-passkey-security-bypass", "name": "VulnCheck Advisory: XenForo Passkey Security Bypass", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Improper Authentication"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.3.7", "versionStartIncluding": "2.3.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T01:43:19.629Z"}}}, "cveMetadata": {"cveId": "CVE-2025-71279", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:00:09.950Z", "dateReserved": "2026-04-01T00:19:58.851Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-01T00:30:09.227Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "matchCriteriaId": "5ADDC458-D5EB-4B70-9EE7-93C78E81EDBD", "versionEndExcluding": "2.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication."}, {"lang": "es", "value": "XenForo anterior a 2.3.7 contiene un problema de seguridad que afecta a las Passkeys que se han a\u00f1adido a las cuentas de usuario. Un atacante podr\u00eda comprometer la seguridad de la autenticaci\u00f3n basada en Passkey."}], "id": "CVE-2025-71279", "lastModified": "2026-04-01T18:57:17.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-01T01:16:40.200", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-passkey-security-bypass"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.3.7)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "XenForo", "source": "cna", "vendor": "XenForo"}, "product": "xenforo", "vendor": "xenforo"}], "analysis": {"en": {"generated_at": "2026-04-01T05:23:36.657925+00:00", "value": {"mitigation_remediation": ["Apply the XenForo 2.3.7 or later update to install the vendor fix", "Verify that Passkey authentication functions correctly after the upgrade", "If an upgrade cannot be applied immediately, disable Passkey authentication for affected accounts as a temporary safeguard", "Continuously monitor XenForo community forums, security advisories, and relevant security mailing lists for updates or new exploit activity"], "summary": {"action": "Immediate Patch", "impact": "Passkey Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all XenForo releases prior to 2.3.7. Users running any earlier version should upgrade to 2.3.7 or later to eliminate the flaw.", "description_and_impact": "XenForo before version 2.3.7 has a vulnerability that allows an attacker to bypass Passkey authentication. The weakness is an authentication flaw that can be exploited to assume the identity of any user with a Passkey configured, compromising account integrity and potentially granting full user privileges.", "risk_and_exploitability": "The CVSS score of 9.3 indicates critical severity and the vulnerability is not listed in the KEV catalog. EPSS data is unavailable, but the lack of known exploits does not reduce the risk. The likely attack vector is through the web interface that processes Passkey authentication requests; an attacker can supply forged Passkey data remotely to coerce the system into authenticating them as a legitimate user. This flaw can be exploited without requiring local access or user interaction."}}}}, "created": "2026-04-02T07:51:07.053575+00:00", "updated": "2026-04-02T20:09:46.545646+00:00", "vendors": ["xenforo", "xenforo$PRODUCT$xenforo"]}