{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35056", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-01T00:19:59.194Z", "datePublished": "2026-04-01T00:30:13.996Z", "dateUpdated": "2026-04-01T19:04:59.806Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T14:00:16.072Z"}, "title": "XenForo Remote Code Execution via Authenticated Admin", "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server."}], "datePublic": "2026-02-05T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "affected": [{"vendor": "XenForo", "product": "XenForo", "versions": [{"version": "2.3.0", "lessThan": "2.3.9", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "2.2.18", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"operator": "OR", "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.18"}]}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "references": [{"url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/", "name": "XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)", "tags": ["vendor-advisory", "patch"]}, {"name": "VulnCheck Advisory: XenForo Remote Code Execution via Authenticated Admin", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin"}], "credits": [{"lang": "en", "value": "UwU", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:04:49.094911Z", "id": "CVE-2026-35056", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:04:59.806Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35056", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T19:04:49.094911Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:04:55.530Z"}}], "cna": {"title": "XenForo Remote Code Execution via Authenticated Admin", "credits": [{"lang": "en", "type": "finder", "value": "UwU"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "XenForo", "product": "XenForo", "versions": [{"status": "affected", "version": "2.3.0", "lessThan": "2.3.9", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "2.2.18", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-05T00:00:00.000Z", "references": [{"url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/", "name": "XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix)", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin", "name": "VulnCheck Advisory: XenForo Remote Code Execution via Authenticated Admin", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.3.9", "versionStartIncluding": "2.3.0"}, {"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.2.18"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T14:00:16.072Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35056", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:04:59.806Z", "dateReserved": "2026-04-01T00:19:59.194Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-01T00:30:13.996Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "matchCriteriaId": "78F0F9B0-9777-4266-83FF-74BEF672AAE8", "versionEndExcluding": "2.2.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "matchCriteriaId": "F317C8A1-B2B0-4C3C-AFEE-8B1050F38744", "versionEndExcluding": "2.3.9", "versionStartIncluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server."}, {"lang": "es", "value": "XenForo anterior a 2.3.9 y anterior a 2.2.18 permite la ejecuci\u00f3n remota de c\u00f3digo (RCE) por usuarios administradores autenticados, pero maliciosos. Un atacante con acceso al panel de administraci\u00f3n puede ejecutar c\u00f3digo arbitrario en el servidor."}], "id": "CVE-2026-35056", "lastModified": "2026-04-01T18:55:19.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-01T01:16:41.593", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-remote-code-execution-via-authenticated-admin"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659/"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.18)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "XenForo", "source": "cna", "vendor": "XenForo"}, "product": "xenforo", "vendor": "xenforo"}], "analysis": {"en": {"generated_at": "2026-04-02T04:46:48.374115+00:00", "value": {"mitigation_remediation": ["Upgrade XenForo to version\u202f2.3.9 or later (or to the corresponding 2.2.18 release).", "Verify that the installation no longer uses the vulnerable versions.", "Restrict and monitor admin accounts to prevent unauthorized use of the panel."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Authenticated Admin Credentials"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to XenForo forum software released before version\u202f2.3.9 or 2.2.18. Any installation running those releases and possessing an admin account is susceptible, regardless of network exposure.", "description_and_impact": "A flaw in XenForo\u2019s admin interface allows an authenticated, malicious administrator to execute arbitrary code on the server, turning any admin account into an execution vector. This weakness corresponds to a code injection vulnerability (CWE\u201194). Successful exploitation grants a malicious user full control over the hosting environment, jeopardizing confidentiality, integrity, and availability.", "risk_and_exploitability": "The flaw scores 8.6 on the CVSS scale, indicating high severity, while the EPSS score is below 1\u202f%, implying a low likelihood of immediate exploitation, and it is not listed in CISA\u2019s KEV catalog. The attack vector is likely confined to the authenticated admin panel, so an attacker must first acquire or trick an admin into logging on; after that, arbitrary code can be run on the server, giving system\u2011wide privileges."}}}}, "created": "2026-04-02T07:51:01.078180+00:00", "updated": "2026-04-02T20:18:40.095521+00:00", "vendors": ["xenforo", "xenforo$PRODUCT$xenforo"]}