Tag
critical
advisory
XenForo RCE via Authenticated Admin User (CVE-2026-35056)
2 rules 1 TTP 1 CVE 1 IOCXenForo before 2.3.9 and 2.2.18 allows remote code execution by authenticated, malicious admin users with admin panel access.
rce
xenforo
cve-2026-35056
code-injection
2r
1t
1c
1i
high
advisory
XenForo Template Code Injection Vulnerability (CVE-2025-71281)
2 rules 2 TTPs 1 CVE 1 IOCXenForo before 2.3.7 is vulnerable to code injection due to a loose prefix match for methods accessible within templates, potentially allowing unauthorized method invocations.
xenforo
code-injection
cve-2025-71281
2r
2t
1c
1i
medium
advisory
XenForo Path Disclosure via Open-Basedir Restrictions (CVE-2025-71282)
2 rules 1 TTP 1 CVEXenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions, allowing attackers to gain sensitive information about the server's directory structure.
path-disclosure
cve-2025-71282
xenforo
2r
1t
1c
high
advisory
XenForo OAuth2 Unauthorized Scope Request Vulnerability
2 rules 1 TTP 1 CVE 2 IOCsXenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes, potentially allowing client applications to gain access beyond their intended authorization level due to improper authorization checks.
cve-2025-71278
oauth2
xenforo
incorrect-authorization
2r
1t
1c
2i