CVE-2025-71281

High CVSS: 8.7

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.

Vendor

Xenforo

Product

Xenforo

CWE

CWE-94

Yayın Tarihi

2026-04-01 01:16:40

Güncelleme

2026-04-01 18:52:54

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-94 Xenforo HIGH Xenforo 2026

Referanslar

https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/

Benzer Kayıtlar

Medium

CVE-2026-35054

XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can in…

Medium

CVE-2026-35055

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. A…

High

CVE-2026-35056

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users.…

Medium

CVE-2026-35057

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions,…

High

CVE-2025-71278

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using O…

Critical

CVE-2025-71279

XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may…