Home / Vulnerability Intelligence / CVE-2025-71281

CVE-2025-71281 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 1, 2026

XenForo - Broken Access Control

Published: April 1, 2026Updated: April 1, 2026Remote Exploitable

Overview

XenForo < 2.3.7 contains a broken access control vulnerability caused by improper restriction of callable methods in templates, letting attackers invoke unauthorized methods, exploit requires template access.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Attackers can invoke unauthorized methods, potentially leading to unauthorized actions or data access.

Mitigation

Upgrade to version 2.3.7 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 1, 2026

🟠 CVE-2025-71281 - High (8.8) XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potential... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-71281/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-71281
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: confirmed
EPSS: 4.7%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.7%Probability of exploitation in the next 30 days