Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
XenForo 2.3.7 and earlier allows unauthorized method calls
CVE-2025-71281
Summary
An attacker could potentially execute unauthorized actions in XenForo by using a template to call a non-public method. This is a security risk because it could allow an attacker to access or modify sensitive data. To fix this, update XenForo to version 2.3.7 or later.
Original title
XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks...
Original description
XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-94
Code Injection
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026