Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
XenForo 2.3.8 and earlier allows malicious scripts to be injected via BB code
CVE-2026-35054
Summary
If you use XenForo, make sure you're running version 2.3.9 or later. Earlier versions can be exploited by attackers to inject malicious code into your forum, which could harm users or steal sensitive information. Update XenForo as soon as possible to fix this issue.
Original title
XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when othe...
Original description
XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.
nvd CVSS3.1
6.4
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026