CVE-2026-35056
Received Received - Intake
Remote Code Execution in XenForo Admin Panel Before

Publication date: 2026-04-01

Last updated on: 2026-04-01

Assigner: VulnCheck

Description
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35056
EUVD
EUVD-2026-17743
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
xenforo xenforo to 2.2.18 (exc)
xenforo xenforo From 2.3.0 (inc) to 2.3.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-35056 allows authenticated malicious admin users to execute arbitrary code on the server, which can lead to unauthorized access, data breaches, and compromise of system integrity.

Such a vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data, maintaining confidentiality, integrity, and availability of systems.

If exploited, this vulnerability could result in unauthorized disclosure or alteration of personal or protected health information, potentially leading to regulatory violations and associated penalties.

Executive Summary

CVE-2026-35056 is a high-severity remote code execution (RCE) vulnerability in XenForo versions before 2.3.9 and 2.2.18.

This flaw occurs due to improper control of code generation (CWE-94), which allows authenticated admin users with malicious intent to execute arbitrary code on the server.

In other words, if an attacker has access to the admin panel, they can run any code they want on the server hosting XenForo.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker with admin access to execute arbitrary code on the server.

  • Compromise of server confidentiality, integrity, and availability.
  • Potential full control over the server, leading to data theft, data loss, or service disruption.
  • If admin credentials are compromised or misused, the attacker can exploit this vulnerability remotely without user interaction.
Mitigation Strategies

To mitigate CVE-2026-35056, immediately upgrade XenForo to version 2.3.9 or later, or 2.2.18 or later, as these versions include security fixes that prevent this remote code execution vulnerability.

Additionally, restrict and monitor admin panel access carefully to ensure that only trusted and authenticated administrators have access, reducing the risk of malicious exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35056. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart