Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
XenForo Forum: Malicious Scripts Can Execute When Users Click on Posts
CVE-2026-35055
Summary
If you use XenForo, an attacker could inject malicious code into posts that execute when users interact with them. This can lead to unauthorized actions or data theft. Update to XenForo 2.3.9 or 2.2.18 to fix the issue.
Original title
XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with...
Original description
XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026