HIGHCVE-2026-35056Published Modified CNA VulnCheck
CVE-2026-35056: XenForo Remote Code Execution via Authenticated Admin
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
Metrics
- CVSS v4.0
- 8.6
- Severity
- HIGH
- Fixed in
- 2.2.18
- Affected Products
- 1
Affected packages
- XenForo / XenForo< 2.3.9 (from 2.3.0) · < 2.2.18 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N