What is CVE-2026-35056?

CVE-2026-35056 is a high-severity vulnerability in Xenforo, classified under Code Injection. CVSS score: 7.2/10. Published 2026-04-01.

How severe is CVE-2026-35056?

High severity. CVSS v3 base score is 7.2 out of 10.

RCE in Xenforo

CVE-2026-35056

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.002 (36.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Xenforo — versions 2.3.0, 0

Weakness classification (CWE)

CWE-94 — Code Injection

References

XenForo 2.3.9 (inc XFMG) & 2.2.18 Released (Security Fix) (vendor-advisory, patch)
VulnCheck Advisory: XenForo Remote Code Execution via Authenticated Admin (third-party-advisory)

Frequently asked questions

What is CVE-2026-35056?: CVE-2026-35056 is a high-severity vulnerability in Xenforo, classified under Code Injection. CVSS score: 7.2/10. Published 2026-04-01.
How severe is CVE-2026-35056?: High severity. CVSS v3 base score is 7.2 out of 10.