CVE-2026-35057

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting XSS in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content...

CVE-2025-71281

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations...

CVE-2025-71278

CVE-2025-71278 — XenForo : Affected are XenForo versions prior to 2.3.5. The issue enables OAuth2 client applications to request unauthorized scopes, potentially granting access beyond intended authorization. Impact is described in the CVSS metrics (high severity across confidentiality, integrity...

PT-2026-29430

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting XSS related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox...

Xenforo 信息泄露漏洞

Xenforo is a forum software developed by the Xenforo company. Versions of XenForo prior to 2.3.7 had a vulnerability related to information leakage, which originated from caching of local account pages on shared systems. This vulnerability could potentially lead to sensitive user information bein...

EUVD-2021-29986

Malicious code in bioql PyPI...

PT-2024-20695 · Xenforo · Xenforo

Name of the Vulnerable Software and Affected Versions: XenForo versions prior to 2.2.14 Description: The issue allows Directory Traversal with write access by an authenticated user who has permissions to administer styles. This is possible when using a ZIP archive for Styles Import...