CVE-2026-35057

Sažetak

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.

Reference

https://github.com/methosiea/xenforo-2-xss
https://www.vulncheck.com/advisories/xenforo-stored-cross-site-scripting-via-structured-text-mentions
https://xenforo.com/community/threads/xenforo-2-3-10-add-ons-and-2-2-19-released-includes-security-fix.236249/

CVSS

Base:	6.4
Impact:	2.7
Exploitability:	3.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Zadnje važnije ažuriranje

01-04-2026 - 01:16

Objavljeno

01-04-2026 - 01:16