Primary

Context

XenForo Template Method Call Restriction Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in XenForo versions prior to 2.3.7, where the framework does not adequately restrict methods that can be called within templates. This flaw arises from the use of a lenient prefix matching system, allowing potentially unauthorized method calls through callbacks and variable method invocations in templates.

Impact

Exploitation of this vulnerability could lead to unauthorized method invocations, allowing attackers to execute arbitrary code or manipulate the application in unintended ways.

Remediation

Users are advised to upgrade to XenForo version 2.3.7 or apply the available patch. Instructions for upgrading and applying the patch can be found in the XenForo 2.3.7 release announcement.

Added: Apr 1, 2026, 1:35 AM

Updated: Apr 1, 2026, 1:35 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

4.8

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

4.8

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

XenForo Template Method Call Restriction Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

XenForo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating