Primary

Context

XenForo Path Disclosure Vulnerability via open_basedir Exceptions

Vulnerability

Patched

A path disclosure vulnerability has been identified in XenForo versions prior to 2.3.7. This issue arises from exception messages that reveal filesystem paths, triggered by open_basedir restrictions. An attacker could exploit this vulnerability to gain insights into the server's directory structure.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of filesystem paths, allowing attackers to infer the server's directory structure.

Remediation

Users are advised to upgrade to XenForo version 2.3.7 or apply the available patch. Instructions for upgrading and applying the patch can be found in the XenForo 2.3.7 release announcement.

Added: Apr 1, 2026, 1:22 AM

Updated: Apr 1, 2026, 1:22 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

XenForo Path Disclosure Vulnerability via open_basedir Exceptions

Vulnerability

Impact

Remediation

Affected Products

XenForo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating