CVE-2026-51833
Received Received - Intake

SSRF Vulnerability in XenForo 2.3.8

Vulnerability report for CVE-2026-51833, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: MITRE

Description

Xenforo 2.3.8 is vulnerable to SSRF. Attackers that have administrator privileges or are able to add/save RSS feeds can enumerate internal services (ports) or expose the original IP address of the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
xenforo xenforo 2.3.8
xenforo xenforo to 2.3.6 (exc)
xenforo xenforo 2.3.10
xenforo xenforo 2.3.11
xenforo xenforo 2.2.19

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-51833 is an SSRF vulnerability in XenForo versions 2.3.6 and below. It allows authenticated attackers with admin privileges or access to RSS feed settings to send crafted requests to internal services or localhost, exposing internal ports and the server's original IP address.

Detection Guidance

To detect this SSRF vulnerability in XenForo, check for unusual RSS feed configurations or requests to localhost/internal IP addresses. Review server logs for outbound connections to 127.0.0.1 or internal network ranges from the XenForo application. No specific commands are provided in the resources, but monitoring network traffic from the XenForo process may help identify suspicious activity.

Impact Analysis

Attackers could map internal network services, identify the server's real IP address, or potentially access sensitive internal resources. This could lead to further exploitation if internal services are misconfigured or lack proper authentication.

Compliance Impact

SSRF vulnerabilities can violate data protection requirements by exposing internal systems or sensitive network information. This may lead to non-compliance with GDPR (data security) or HIPAA (protected health information safeguards) if exploited to access unauthorized data.

Mitigation Strategies
  • Upgrade XenForo to the latest version (2.3.11 or higher) as it includes security fixes.
  • Restrict access to the RSS feed management feature to trusted administrators only.
  • Implement network-level restrictions to block outbound requests to localhost or internal IP ranges from the XenForo server.
  • Monitor and audit RSS feed configurations for any unauthorized or suspicious entries.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart