CVE-2026-35057

MEDIUM

6.4

Descripcion

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.

Detalles CVE

Puntuacion CVSS v3.16.4

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado4/1/2026

Ultima modificacion4/1/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

xenforo:xenforo

Debilidades (CWE)

CWE-79

Referencias

https://github.com/methosiea/xenforo-2-xss(disclosure@vulncheck.com)

https://xenforo.com/community/threads/xenforo-2-3-10-add-ons-and-2-2-19-released-includes-security-fix.236249/(disclosure@vulncheck.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.