Home / Vulnerability Intelligence / CVE-2026-35056

CVE-2026-35056 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 1, 2026

XenForo - Remote Code Execution

Published: April 1, 2026Updated: April 1, 2026KEVRemote Exploitable

Overview

XenForo < 2.3.9 and < 2.2.18 contains a remote code execution caused by malicious input from authenticated admin users, letting attackers with admin panel access execute arbitrary code on the server, exploit requires admin privileges.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 26.0%(Probability of exploitation in next 30 days)

Impact

Authenticated admin users can execute arbitrary code on the server, leading to full system compromise.

Mitigation

Update to version 2.3.9 or 2.2.18 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 1, 2026

🟠 CVE-2026-35056 - High (8.8) XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35056/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-35056
Severity: High
CVSS Score: 8.8
Type: remote_code_execution
Status: new
EPSS: 26.0%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

26.0%Probability of exploitation in the next 30 days