CVE-2025-71281 HIGH

CVE-2025-71281: XenForo Template Method Call Restriction Bypass

Vendor Xenforo
Product XenForo
Weakness CWE-94 · Code injection
Published April 1, 2026
Last update April 3, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.

Key dates

02Disclosure timeline

April 1, 2026 CVE published
April 3, 2026 Record updated