Executive Summary

CVE-2026-35057 is a stored cross-site scripting (XSS) vulnerability in XenForo versions before 2.3.10 and 2.2.19. It occurs in the structured text mentions feature, primarily affecting legacy profile post content.

An attacker can craft malicious mentions that are stored in the system and executed when other users view the affected content, allowing script injection.

Technically, the vulnerability arises from a placeholder collision during output rendering between two functions handling structured text mentions. This collision causes raw HTML to be injected inside an HTML attribute, breaking the attribute context and enabling XSS execution.

Attackers exploit this by crafting mention usernames containing special placeholder byte sequences that bypass input filters and cause the injection of malicious scripts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to inject and execute malicious scripts in the context of other users viewing legacy profile post content.

The impact includes potential theft of user session data, unauthorized actions performed on behalf of users, and compromise of user accounts or sensitive information.

Because the attack requires user interaction (viewing the malicious content), it can be used to target specific users or groups within the XenForo community.

The CVSS v3.1 score of 6.4 indicates a medium severity with network attack vector, low attack complexity, and privileges required but no user interaction needed for some aspects.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your XenForo installation is running a vulnerable version prior to 2.3.10 or 2.2.19, and checking for stored cross-site scripting payloads in legacy profile post content mentions.

One practical approach is to verify the XenForo version installed on your system. This can typically be done by checking the version number in the admin control panel or by running commands to read version files on the server.

• Check XenForo version via command line by inspecting the version file, for example: `cat src/XF.php | grep 'const VERSION'` or similar files where the version is declared.
• Search the database for suspicious mentions in legacy profile post content that may contain encoded or unusual byte sequences such as the placeholder byte `\x1A` or encoded forms like `%1A`.
• Use web application scanning tools or custom scripts to detect stored XSS payloads in user-generated content, focusing on structured text mentions.

Additionally, Resource 3 provides a proof-of-concept script (`xss.sh`) that automates authentication, posting of payloads, and report generation to confirm the presence of the vulnerability on a target XenForo installation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended immediate mitigation step is to upgrade your XenForo installation to version 2.3.10 or 2.2.19 or later, as these versions include the critical security fix addressing this stored XSS vulnerability.

If a full upgrade is not immediately possible, you can apply the official manual patch provided by XenForo by extracting the patch zip files (2310-patch.zip for 2.3.10 or 2219-patch.zip for 2.2.19) and uploading the contents to the root of your XenForo installation.

Note that manual patching will cause the 'File health check' to report 'Unexpected contents' due to modified files, which is expected and safe to ignore.

For XenForo Cloud customers running version 2.3.8, the fix has already been applied automatically.

Additionally, ensure that all official add-ons are updated to compatible versions (2.3.10 or later) to maintain stability and security.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0