CVE-2025-71281

HIGH 8.8

XenForo Template Method Call Restriction Bypass

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

15th

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.

CWE	CWE-94
Vendor	xenforo
Product	xenforo
Published	Apr 1, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for xenforo xenforo

Be the first to know when new high vulnerabilities affecting xenforo xenforo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

XenForo / XenForo

2.3.0 < 2.3.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

xenforo.com: https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/ vulncheck.com: https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass

Credits

Cyanide