Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
XenForo Admin Panel Security Risk: Malicious Admin Can Run Code
CVE-2026-35056
Summary
XenForo, a forum software, has a security risk. An attacker with admin access can run malicious code on the server, which could compromise data and disrupt the forum. Update to the latest version of XenForo (2.3.9 or 2.2.18) to fix this issue.
Original title
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
Original description
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-94
Code Injection
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026