2.3.9
2.2.18
CVE-2026-35055 describes a cross-site scripting (XSS) vulnerability in XenForo, a popular forum software. This vulnerability allows an attacker to inject malicious scripts that execute when users interact with post content displayed within the lightbox feature. The vulnerability affects versions 2.3.0 through 2.3.9 and versions prior to 2.2.18. A patch is available in XenForo 2.3.9.
Successful exploitation of CVE-2026-35055 could allow an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the forum. The impact is particularly severe if the forum is used for sensitive discussions or contains confidential information. The lightbox feature is commonly used for displaying images and other media, making it a frequent point of user interaction and thus a prime target for XSS attacks. This vulnerability shares similarities with other XSS vulnerabilities where user-supplied data is not properly sanitized before being displayed in a web page.
CVE-2026-35055 was publicly disclosed on April 1, 2026. There is no indication of active exploitation at this time, and the vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a POC is released.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35055 is to upgrade XenForo to version 2.3.9 or later. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious scripts within lightbox content. Additionally, carefully review and sanitize any user-supplied data before displaying it in the lightbox. While not a direct fix, restricting access to the lightbox feature or disabling it temporarily can reduce the attack surface. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) within a post and verifying that the script does not execute.
Update XenForo to version 2.3.9 or 2.2.18 or later. This will resolve the cross-site scripting (XSS) vulnerability related to lightbox usage in posts. The update can be performed through the XenForo admin panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35055 is a cross-site scripting (XSS) vulnerability affecting XenForo versions 2.3.0-2.3.9 and prior to 2.2.18, allowing attackers to inject malicious scripts via the lightbox feature.
You are affected if you are running XenForo versions 2.3.0 through 2.3.9 or versions prior to 2.2.18. Upgrade to 2.3.9 or later to mitigate the risk.
Upgrade XenForo to version 2.3.9 or later. Consider implementing a WAF rule as a temporary mitigation if immediate upgrade is not possible.
There is currently no indication of active exploitation, but the vulnerability is likely to be exploited once a public proof-of-concept is released.
Refer to the official XenForo security advisory on their website for detailed information and updates: [https://xenforo.com/security/advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.