Cyber Posture

CVE-2026-35056

HighPublic PoCRCE

Published: 01 April 2026

Published
01 April 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 64.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35056 is a high-severity Code Injection (CWE-94) vulnerability in Xenforo Xenforo. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly and comprehensively mitigates the CVE by requiring timely flaw remediation through upgrading XenForo to patched versions 2.3.9 or 2.2.18.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict admin users' capabilities, limiting the potential for malicious admins to exploit the RCE vulnerability in the admin panel.

AU-12 Audit Record Generation partial match
detect

Generates audit records for admin panel access and actions, allowing detection of anomalous activity indicative of RCE exploitation by authenticated admins.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2026-35056 enables remote code execution in the public-facing XenForo web application via the admin panel, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.

Deeper analysisAI

CVE-2026-35056 is a remote code execution vulnerability (CWE-94) in XenForo forum software versions before 2.3.9 and before 2.2.18. It enables authenticated but malicious admin users to execute arbitrary code on the server via the admin panel. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-01T01:16:41.593.

An attacker requires valid admin credentials and access to the XenForo admin panel to exploit this issue over the network with low complexity and no user interaction. Successful exploitation grants high-impact control over confidentiality, integrity, and availability on the affected server, allowing arbitrary code execution in the context of the web server process.

XenForo advisories recommend upgrading to version 2.3.9 or 2.2.18, which include fixes for this security issue. Additional details on the authenticated admin RCE are available in the VulnCheck advisory.

Details

CWE(s)
CWE-94

Affected Products

xenforo
xenforo
≤ 2.2.18 · 2.3.0 — 2.3.9

CVEs Like This One

CVE-2025-71281Same product: Xenforo Xenforo
CVE-2025-71279Same product: Xenforo Xenforo
CVE-2025-71282Same product: Xenforo Xenforo
CVE-2025-71278Same product: Xenforo Xenforo
CVE-2025-23209Shared CWE-94
CVE-2026-39440Shared CWE-94
CVE-2026-3300Shared CWE-94
CVE-2025-6389Shared CWE-94
CVE-2025-8723Shared CWE-94
CVE-2025-34277Shared CWE-94

References