CVE-2026-35056
HIGH WAF: Medium
CVSS 7.2
Published: 2026-04-01
CWE-94
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| xenforo | xenforo | up to 2.2.18 |
| xenforo | xenforo | 2.3.0 - 2.3.9 |
References
- www.vulncheck.com (Third Party Advisory)
- xenforo.com (Release Notes)