cvedb.io
CVE-2026-35056
HIGH · CVSS 7.2
EPSS exploitation probability: 0%
Published 2026-04-01T01:16:41.593 · Last modified 2026-06-17T10:40:02.510

Summary

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

Affected products

xenforo — xenforo

Does this affect you?

Add your gear to cvedb and we'll alert you only when xenforo ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.