Primary

Context

XenForo Open Redirect Vulnerability in getDynamicRedirect() Function

Vulnerability

Patched

An open redirect vulnerability has been identified in XenForo versions prior to 2.2.17 and 2.3.0. The issue arises in the getDynamicRedirect() function, which fails to properly validate redirect targets. This flaw allows attackers to redirect users to arbitrary external sites using specially crafted URLs that include newlines, user credentials, or host mismatches.

Impact

Exploitation of this vulnerability could lead to open redirect, allowing for potential phishing attacks by redirecting users to malicious sites.

Remediation

Users are advised to upgrade to XenForo 2.2.17 or 2.3.1. For those on XenForo 2.2, a manual patch is available by editing the src/XF/App.php file. Instructions for applying the patch are included in the XenForo 2.2.17 release announcement.

Added: Apr 1, 2026, 1:27 AM

Updated: Apr 1, 2026, 1:27 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.2

exploitability

6.4

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.2

exploitability

6.4

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

XenForo Open Redirect Vulnerability in getDynamicRedirect() Function

Vulnerability

Impact

Remediation

Affected Products

XenForo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating