Vulnerability Details CVE-2026-35055
XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.2%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2026-35055
-
cpe:2.3:a:xenforo:xenforo:*
-
cpe:2.3:a:xenforo:xenforo:-
-
cpe:2.3:a:xenforo:xenforo:2.2.14
-
cpe:2.3:a:xenforo:xenforo:2.2.16
-
cpe:2.3:a:xenforo:xenforo:2.2.7