Primary

Context

XenForo Cross-Site Scripting Vulnerability via Lightbox in Posts

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in XenForo versions prior to 2.3.9 and prior to 2.2.18. The issue arises from lightbox usage in posts, allowing attackers to inject malicious scripts that execute when users interact with the affected post content.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Remediation

Users can upgrade to XenForo 2.3.9 or 2.2.18, both of which include the necessary security fix. For those on XenForo 2.3.7 or earlier, a specific patch is available. Instructions for applying the patch or upgrading are provided in the XenForo release announcement.

Added: Apr 1, 2026, 1:20 AM

Updated: Apr 1, 2026, 1:20 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

5.0

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

5.0

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

XenForo Cross-Site Scripting Vulnerability via Lightbox in Posts

Vulnerability

Impact

Remediation

Affected Products

XenForo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating