CVE-2024-58342 MEDIUM

CVE-2024-58342: XenForo Open Redirect via getDynamicRedirect

Vendor Xenforo
Product XenForo
Weakness CWE-601 · Open redirect
Published April 1, 2026
Last update April 1, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect() function does not adequately validate the redirect target, allowing attackers to redirect users to arbitrary external sites using crafted URLs containing newlines, user credentials, or host mismatches.

Key dates

02Disclosure timeline

April 1, 2026 CVE published
April 1, 2026 Record updated