Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
XenForo: Malicious scripts injected through profile post content
CVE-2026-35057
Summary
Legacy XenForo profile posts can allow attackers to inject malicious scripts, which can be executed when other users view the content. This could lead to unauthorized actions or data theft. Update to XenForo 2.3.10 or 2.2.19 to fix the issue.
Original title
XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malic...
Original description
XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.
nvd CVSS3.1
6.4
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026