{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35055", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-01T00:19:59.194Z", "datePublished": "2026-04-01T00:30:13.058Z", "dateUpdated": "2026-04-01T15:51:58.760Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T01:43:23.718Z"}, "datePublic": "2026-02-05T00:00:00.000Z", "title": "XenForo Cross-Site Scripting via Lightbox in Posts", "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "XenForo", "product": "XenForo", "versions": [{"version": "2.3.0", "lessThan": "2.3.9", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "2.2.18", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.18"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/", "name": "XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)", "tags": ["vendor-advisory", "patch"]}, {"name": "VulnCheck Advisory: XenForo Cross-Site Scripting via Lightbox in Posts", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts"}], "credits": [{"lang": "en", "value": "UwU", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T14:55:15.520232Z", "id": "CVE-2026-35055", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:51:58.760Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35055", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-01T00:19:59.194Z", "datePublished": "2026-04-01T00:30:13.058Z", "dateUpdated": "2026-04-01T15:51:58.760Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T01:43:23.718Z"}, "datePublic": "2026-02-05T00:00:00.000Z", "title": "XenForo Cross-Site Scripting via Lightbox in Posts", "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "XenForo", "product": "XenForo", "versions": [{"version": "2.3.0", "lessThan": "2.3.9", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "2.2.18", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.18"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/", "name": "XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)", "tags": ["vendor-advisory", "patch"]}, {"name": "VulnCheck Advisory: XenForo Cross-Site Scripting via Lightbox in Posts", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts"}], "credits": [{"lang": "en", "value": "UwU", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35055", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T14:55:15.520232Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T14:55:19.525Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "matchCriteriaId": "78F0F9B0-9777-4266-83FF-74BEF672AAE8", "versionEndExcluding": "2.2.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "matchCriteriaId": "F317C8A1-B2B0-4C3C-AFEE-8B1050F38744", "versionEndExcluding": "2.3.9", "versionStartIncluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox."}, {"lang": "es", "value": "XenForo anterior a 2.3.9 y anterior a 2.2.18 es vulnerable a cross-site scripting (XSS) relacionado con el uso de lightbox en publicaciones. Un atacante puede inyectar scripts maliciosos que se ejecutan cuando los usuarios interact\u00faan con el contenido de la publicaci\u00f3n mostrado en el lightbox."}], "id": "CVE-2026-35055", "lastModified": "2026-04-01T18:55:13.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-01T01:16:41.397", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.18)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "XenForo", "source": "cna", "vendor": "XenForo"}, "product": "xenforo", "vendor": "xenforo"}], "analysis": {"en": {"generated_at": "2026-04-01T05:22:08.015764+00:00", "value": {"mitigation_remediation": ["Verify the current XenForo version on the installation. If it is older than 2.3.9 or 2.2.18, download and install the official security patch or upgrade to a newer version of XenForo. Once updated, thoroughly test the forum\u2019s functionality, ensuring that post lightboxes no longer allow script injection. If an immediate upgrade is not possible, limit user ability to embed media or restrict permissions for posting external links until a patch can be applied."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting in post lightboxes"}, "threat_synthesis": {"affected_systems": "Users running XenForo editions prior to 2.3.9 and XenForo 2.2.18 are affected. The issue specifically involves the lightbox feature used to display images or media embedded in forum posts. Any forum or community site that has not applied newer patches is at risk.", "description_and_impact": "A flaw in XenForo allows attackers to embed malicious scripts that run when a user opens a post image or media in a lightbox. The vulnerability is a classic stored cross\u2011site scripting (CWE\u201179) that can lead to cookie theft, session hijacking, or malicious redirection. It does not provide direct code execution on the server, but it can compromise any site visitor\u2019s browser context while interacting with the vulnerable posts.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. EPSS data is not available, but the vulnerability is not listed in the CISA KEV catalog, implying no widely known active exploits yet. The attack requires an attacker to post malicious content or otherwise influence post media; once a victim opens the lightbox, the injected script executes. This makes it relatively easy to exploit in an environment where user\u2011generated content is displayed."}}}}, "created": "2026-04-02T07:51:02.176914+00:00", "updated": "2026-04-02T20:18:41.031242+00:00", "vendors": ["xenforo", "xenforo$PRODUCT$xenforo"]}