CVE-2026-35054

XenForo before 2.3.9 is vulnerable to stored cross-site scripting XSS related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content...

CVE-2026-35055 XenForo Cross-Site Scripting via Lightbox in Posts

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting XSS related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox...

CVE-2025-60355

CVE-2025-60355 affects the web application OneBlog prior to version 2.3.9. The vulnerability is a Server-Side Template Injection (SSTI) via FreeMarker templates, caused by unsafe processing of templates on the server. The CVE entries indicate a high-impact profile (CVSS 3.1: 9.8, CRITICAL) with n...

PT-2019-14833

Name of the Vulnerable Software and Affected Versions Tiny File Manager versions prior to 2.3.9 Description The issue allows for remote code execution through the Upload from URL feature and the Edit/Rename files functionality. It affects only authenticated users. Recommendations For versions pri...