{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xenforo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35056"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","xenforo","cve-2026-35056","code-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35056 describes a remote code execution vulnerability in XenForo versions prior to 2.3.9 and 2.2.18. This vulnerability allows an authenticated attacker with administrative privileges to execute arbitrary code on the server. The attacker must have valid administrator panel access to exploit this flaw. Successful exploitation leads to complete control over the affected XenForo instance and potentially the underlying server. Organizations using vulnerable XenForo versions are at high risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains valid administrative credentials to the XenForo panel, likely through credential theft or brute-force attack.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the XenForo admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an administrative function that allows for the injection of malicious code (e.g., template modification, plugin installation, or similar).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a payload containing malicious code (e.g., PHP code) designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the vulnerable administrative function.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the injected payload by accessing the modified function or by some other user interaction.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes on the server, granting the attacker initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage this access to install a web shell, escalate privileges, move laterally, or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35056 allows a malicious administrator to execute arbitrary code on the XenForo server. This could lead to complete system compromise, data theft, defacement of the XenForo forum, or use of the server as a launching point for further attacks. Given the potentially sensitive data stored in forum databases, this vulnerability poses a significant risk to confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade XenForo to version 2.3.9 or 2.2.18 or later to patch CVE-2026-35056.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to prevent unauthorized access to administrator accounts.\u003c/li\u003e\n\u003cli\u003eMonitor XenForo admin panel activity for suspicious behavior, such as unexpected template modifications or plugin installations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect command execution from the web server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T01:16:41Z","date_published":"2026-04-01T01:16:41Z","id":"/briefs/2026-04-xenforo-rce/","summary":"XenForo before 2.3.9 and 2.2.18 allows remote code execution by authenticated, malicious admin users with admin panel access.","title":"XenForo RCE via Authenticated Admin User (CVE-2026-35056)","url":"https://feed.craftedsignal.io/briefs/2026-04-xenforo-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-71281"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xenforo","code-injection","cve-2025-71281"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eXenForo, a popular forum software, is susceptible to a code injection vulnerability identified as CVE-2025-71281. This flaw exists in versions prior to 2.3.7 and stems from insufficient restrictions on methods callable from within templates. Specifically, a loose prefix match is used instead of a stricter first-word match when determining the accessibility of methods through callbacks and variable method calls in templates. This can allow attackers with sufficient privileges to invoke unintended methods, potentially leading to arbitrary code execution. Successful exploitation requires that an attacker has the ability to modify templates, which typically necessitates having administrative or moderator privileges. The vulnerability was reported and patched in version 2.3.7 of XenForo.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the XenForo admin panel, typically through stolen credentials or by exploiting a separate authentication vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the template management section of the admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a template that is frequently rendered or creates a new template.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the template that leverages the loose prefix matching vulnerability to call restricted PHP methods. The malicious code is crafted to exploit CVE-2025-71281.\u003c/li\u003e\n\u003cli\u003eWhen the template is rendered by XenForo, the injected code is processed. Due to the loose prefix matching, the malicious payload successfully calls a restricted function.\u003c/li\u003e\n\u003cli\u003eThe invoked method executes arbitrary code on the server, potentially leading to the installation of a web shell or other malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to further compromise the server, potentially gaining access to sensitive data or escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71281 could allow an attacker with administrative or moderator privileges to execute arbitrary PHP code on the XenForo server. This can result in complete server compromise, data theft, defacement of the forum, or denial of service. The impact is significant because XenForo forums often host sensitive user data and are critical components of online communities. The severity is rated as High (CVSS 8.8) due to the potential for high confidentiality, integrity, and availability impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade XenForo to version 2.3.7 or later to patch CVE-2025-71281 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly review the privileges assigned to administrators and moderators.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Template Modification\u003c/code\u003e to monitor for unauthorized modifications to XenForo templates.\u003c/li\u003e\n\u003cli\u003eMonitor XenForo logs for any unusual activity related to template rendering or method calls, and investigate any suspicious patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T01:16:40Z","date_published":"2026-04-01T01:16:40Z","id":"/briefs/2026-04-xenforo-code-injection/","summary":"XenForo before 2.3.7 is vulnerable to code injection due to a loose prefix match for methods accessible within templates, potentially allowing unauthorized method invocations.","title":"XenForo Template Code Injection Vulnerability (CVE-2025-71281)","url":"https://feed.craftedsignal.io/briefs/2026-04-xenforo-code-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-71282"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["path-disclosure","cve-2025-71282","xenforo"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-71282 details a path disclosure vulnerability affecting XenForo versions prior to 2.3.7. The vulnerability arises due to insufficient restrictions on error message generation when encountering \u003ccode\u003eopen_basedir\u003c/code\u003e restrictions. By triggering specific errors related to file access, an attacker can elicit exception messages that reveal the server\u0026rsquo;s internal filesystem structure. This information can then be leveraged to further understand the system\u0026rsquo;s configuration, identify potential attack vectors, and potentially bypass security measures. The vulnerability was reported by VulnCheck and addressed in XenForo 2.3.7. This vulnerability could expose sensitive information about the web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a XenForo instance running a version prior to 2.3.7.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request designed to trigger a file access operation that violates \u003ccode\u003eopen_basedir\u003c/code\u003e restrictions. This could involve manipulating URL parameters or POST data to request access to restricted files or directories.\u003c/li\u003e\n\u003cli\u003eXenForo attempts to access the file or directory specified in the malicious request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopen_basedir\u003c/code\u003e restriction prevents XenForo from accessing the requested resource.\u003c/li\u003e\n\u003cli\u003eXenForo generates an exception message containing the full filesystem path of the attempted file access.\u003c/li\u003e\n\u003cli\u003eThe exception message is displayed to the attacker, revealing the server\u0026rsquo;s internal directory structure.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the disclosed filesystem paths to gather information about the server\u0026rsquo;s configuration and identify potential targets for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71282 allows attackers to obtain sensitive information about the XenForo server\u0026rsquo;s filesystem. This information can be used to map out the server\u0026rsquo;s directory structure, identify configuration files, and potentially locate other sensitive data. While the vulnerability does not directly lead to code execution or data modification, the disclosed information can significantly aid attackers in reconnaissance and subsequent exploitation attempts. The number of affected XenForo installations is unknown, but the impact is potentially widespread given the popularity of the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade XenForo installations to version 2.3.7 or later to remediate CVE-2025-71282.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to detect and block requests attempting to trigger \u003ccode\u003eopen_basedir\u003c/code\u003e violations. Analyze webserver logs for HTTP requests resulting in server errors that contain file paths.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns of file access attempts that may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T01:16:40Z","date_published":"2026-04-01T01:16:40Z","id":"/briefs/2026-04-xenforo-path-disclosure/","summary":"XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions, allowing attackers to gain sensitive information about the server's directory structure.","title":"XenForo Path Disclosure via Open-Basedir Restrictions (CVE-2025-71282)","url":"https://feed.craftedsignal.io/briefs/2026-04-xenforo-path-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-71278"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2025-71278","oauth2","xenforo","incorrect-authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eXenForo, a popular forum software, has a security vulnerability (CVE-2025-71278) affecting versions prior to 2.3.5. Specifically, the vulnerability lies in the OAuth2 client application authorization process. OAuth2 clients can request scopes beyond those they are authorized to access. This vulnerability impacts any XenForo 2.3 installation utilizing OAuth2 clients prior to upgrading to version 2.3.5. Successful exploitation could allow malicious or compromised OAuth2 client applications to escalate privileges and access sensitive data or functionality within the XenForo forum.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers a malicious OAuth2 client application within the vulnerable XenForo instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an OAuth2 authorization request, including scopes that the client should not be permitted to access according to XenForo\u0026rsquo;s intended authorization model.\u003c/li\u003e\n\u003cli\u003eThe vulnerable XenForo instance fails to properly validate the requested scopes against the client\u0026rsquo;s authorized permissions.\u003c/li\u003e\n\u003cli\u003eThe XenForo server grants access tokens with the requested, unauthorized scopes.\u003c/li\u003e\n\u003cli\u003eThe malicious OAuth2 client application uses the access token with the expanded privileges to interact with the XenForo API.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions they are not intended to be authorized for, such as accessing private user data, modifying forum settings, or performing administrative tasks depending on the scopes gained.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71278 can lead to unauthorized data access, privilege escalation, and potential compromise of the XenForo forum. This can impact all users of the forum, leading to data breaches, defacement, or disruption of service. The severity depends on the unauthorized scopes obtained, but could range from accessing private messages to complete administrative control over the forum.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade XenForo installations to version 2.3.5 or later to remediate CVE-2025-71278 (reference: XenForo advisory in references).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on OAuth2 authorization requests to identify and mitigate potential abuse (reference: generic security best practice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T01:16:40Z","date_published":"2026-04-01T01:16:40Z","id":"/briefs/2026-04-xenforo-oauth2-unauth-scope/","summary":"XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes, potentially allowing client applications to gain access beyond their intended authorization level due to improper authorization checks.","title":"XenForo OAuth2 Unauthorized Scope Request Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-xenforo-oauth2-unauth-scope/"}],"language":"en","title":"CraftedSignal Threat Feed — Xenforo","version":"https://jsonfeed.org/version/1.1"}