Platform
php
Component
xenforo
Fixed in
2.3.9
CVE-2026-35054 describes a stored cross-site scripting (XSS) vulnerability affecting XenForo. This flaw allows an attacker to inject malicious scripts through BB code, which are then stored and executed when other users view the content, potentially leading to account compromise or data theft. The vulnerability affects XenForo versions 2.3.0 through 2.3.9. A fix is available in version 2.3.9.
CVE-2026-35054 in XenForo, affecting versions prior to 2.3.9, represents a stored Cross-Site Scripting (XSS) vulnerability. An attacker can inject malicious code through the use of BB code within forum posts or discussions. This code is then stored in the database and executed when other users view the affected content. The potential impact includes cookie theft, redirection to malicious websites, or modification of page content, compromising forum security and integrity. The vulnerability's severity is rated at 6.4 according to CVSS. Successful exploitation could allow an attacker to take control of user accounts, perform actions on behalf of users, or even compromise forum administration if exploited in areas accessible to administrators.
The vulnerability is exploited through the manipulation of BB code. An attacker can create a post or message containing malicious JavaScript code disguised within BB code tags. When other users view this post, the JavaScript code executes in their browsers. The effectiveness of exploitation depends on the forum configuration and security measures implemented. A lack of proper validation or sanitization of BB code allows attackers to inject malicious code. The persistence of the malicious code in the database means the vulnerability can affect a large number of users if not addressed promptly.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary solution to mitigate CVE-2026-35054 is to update XenForo to version 2.3.9 or higher. This update includes the necessary fixes to prevent the injection and execution of malicious code through BB code. In the meantime, forum administrators are advised to closely monitor published content, particularly from new or untrusted users. Implementing strict moderation policies and utilizing content filtering tools can help detect and remove potentially malicious content before it is viewed by others. Users are also advised to avoid clicking on suspicious links or downloading files from unknown sources within the forum.
Actualice XenForo a la versión 2.3.9 o superior. Esta versión contiene una corrección para la vulnerabilidad XSS. La actualización se puede realizar a través del panel de administración de XenForo.
Vulnerability analysis and critical alerts directly to your inbox.
BB code is a simple markup system used in forums to format text, insert images, and create links.
If you are using a version of XenForo prior to 2.3.9, your forum is vulnerable.
Immediately update to the latest version of XenForo and perform a security audit.
Implement strict moderation policies and consider using security extensions to filter content.
Yes, updating to version 2.3.9 or higher includes the necessary fixes to prevent exploitation of this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.