CVE-2025-71278

Published Apr 1, 2026

Last updated 11 hours ago

CVSS high 8.7

Overview

Description
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.
Source
disclosure@vulncheck.com
NVD status
Analyzed
Products
xenforo

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

disclosure@vulncheck.com
CWE-863

Social media

Hype score
Not currently trending

  1. CVE-2025-71278 XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 pr… https://t.co/hG1V20vcH1

    @CVEnew

    1 Apr 2026

    124 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚡ New CVE Alert: CVE-2025-71278 📊 Severity: 8.8 🚨 Risk Level: High 🧩 Affects: Multiple / Unspecified Products Reference: https://t.co/hRl3T1UKFj #CVE-2025-71278 #CVE #High #CyberSecurity #InfoSec https://t.co/JeIqmiJrcY

    @CVEarity

    1 Apr 2026

    93 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🟠 CVE-2025-71278 - High XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially... https://t.co/7tF7kuPit7 https://t.co/bWWuFMxjeq

    @TheHackerWire

    1 Apr 2026

    118 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2025-71278: HIGH] XenForo security alert: Before version 2.3.5, OAuth2 clients could request unauthorized scopes, potentially gaining access beyond their intended level. Update now to stay secure!#cve,CVE-2025-71278,#cybersecurity https://t.co/80cKEQetOV

    @CveFindCom

    1 Apr 2026

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.CVE-2026-35057
  2. XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.CVE-2026-35056
  3. XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.CVE-2026-35055
  4. XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.CVE-2026-35054
  5. XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure.CVE-2025-71282

References

Sources include official advisories and independent security research.