CVE-2026-35057
Stored XSS in XenForo Mentions Affects Legacy Profile Posts
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xenforo | xenforo | to 2.2.19 (exc) |
| xenforo | xenforo | From 2.3.0 (inc) to 2.3.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-35057 is a stored cross-site scripting (XSS) vulnerability in XenForo versions before 2.3.10 and 2.2.19. It occurs in the structured text mentions feature, primarily affecting legacy profile post content.
An attacker can craft malicious mentions that are stored in the system and executed when other users view the affected content, allowing script injection.
Technically, the vulnerability arises from a placeholder collision during output rendering between two functions handling structured text mentions. This collision causes raw HTML to be injected inside an HTML attribute, breaking the attribute context and enabling XSS execution.
Attackers exploit this by crafting mention usernames containing special placeholder byte sequences that bypass input filters and cause the injection of malicious scripts.
How can this vulnerability impact me? :
This vulnerability allows attackers to inject and execute malicious scripts in the context of other users viewing legacy profile post content.
The impact includes potential theft of user session data, unauthorized actions performed on behalf of users, and compromise of user accounts or sensitive information.
Because the attack requires user interaction (viewing the malicious content), it can be used to target specific users or groups within the XenForo community.
The CVSS v3.1 score of 6.4 indicates a medium severity with network attack vector, low attack complexity, and privileges required but no user interaction needed for some aspects.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your XenForo installation is running a vulnerable version prior to 2.3.10 or 2.2.19, and checking for stored cross-site scripting payloads in legacy profile post content mentions.
One practical approach is to verify the XenForo version installed on your system. This can typically be done by checking the version number in the admin control panel or by running commands to read version files on the server.
- Check XenForo version via command line by inspecting the version file, for example: `cat src/XF.php | grep 'const VERSION'` or similar files where the version is declared.
- Search the database for suspicious mentions in legacy profile post content that may contain encoded or unusual byte sequences such as the placeholder byte `\x1A` or encoded forms like `%1A`.
- Use web application scanning tools or custom scripts to detect stored XSS payloads in user-generated content, focusing on structured text mentions.
Additionally, Resource 3 provides a proof-of-concept script (`xss.sh`) that automates authentication, posting of payloads, and report generation to confirm the presence of the vulnerability on a target XenForo installation.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended immediate mitigation step is to upgrade your XenForo installation to version 2.3.10 or 2.2.19 or later, as these versions include the critical security fix addressing this stored XSS vulnerability.
If a full upgrade is not immediately possible, you can apply the official manual patch provided by XenForo by extracting the patch zip files (2310-patch.zip for 2.3.10 or 2219-patch.zip for 2.2.19) and uploading the contents to the root of your XenForo installation.
Note that manual patching will cause the 'File health check' to report 'Unexpected contents' due to modified files, which is expected and safe to ignore.
For XenForo Cloud customers running version 2.3.8, the fix has already been applied automatically.
Additionally, ensure that all official add-ons are updated to compatible versions (2.3.10 or later) to maintain stability and security.