CVE-2026-35056
Published: 01 April 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-35056 is a remote code execution vulnerability (CWE-94) in XenForo forum software versions before 2.3.9 and before 2.2.18. It enables authenticated but malicious admin users to execute arbitrary code on the server via the admin panel. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-01T01:16:41.593.
An attacker requires valid admin credentials and access to the XenForo admin panel to exploit this issue over the network with low complexity and no user interaction. Successful exploitation grants high-impact control over confidentiality, integrity, and availability on the affected server, allowing arbitrary code execution in the context of the web server process.
XenForo advisories recommend upgrading to version 2.3.9 or 2.2.18, which include fixes for this security issue. Additional details on the authenticated admin RCE are available in the VulnCheck advisory.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2026-35056 enables remote code execution in the public-facing XenForo web application via the admin panel, directly facilitating T1190: Exploit Public-Facing Application.