{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-71281", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-01T00:19:58.851Z", "datePublished": "2026-04-01T00:30:10.890Z", "dateUpdated": "2026-04-03T16:43:31.485Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T01:43:21.449Z"}, "datePublic": "2025-07-15T00:00:00.000Z", "title": "XenForo Template Method Call Restriction Bypass", "descriptions": [{"lang": "en", "value": "XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "affected": [{"vendor": "XenForo", "product": "XenForo", "versions": [{"version": "2.3.0", "lessThan": "2.3.7", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.7"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/", "name": "XenForo 2.3.7 Released (Includes Security Fixes)", "tags": ["vendor-advisory", "patch"]}, {"name": "VulnCheck Advisory: XenForo Template Method Call Restriction Bypass", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass"}], "credits": [{"lang": "en", "value": "Cyanide", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:43:21.081334Z", "id": "CVE-2025-71281", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:43:31.485Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-71281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T16:43:21.081334Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:43:28.174Z"}}], "cna": {"title": "XenForo Template Method Call Restriction Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Cyanide"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "XenForo", "product": "XenForo", "versions": [{"status": "affected", "version": "2.3.0", "lessThan": "2.3.7", "versionType": "semver"}]}], "datePublic": "2025-07-15T00:00:00.000Z", "references": [{"url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/", "name": "XenForo 2.3.7 Released (Includes Security Fixes)", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass", "name": "VulnCheck Advisory: XenForo Template Method Call Restriction Bypass", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.3.7", "versionStartIncluding": "2.3.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T01:43:21.449Z"}}}, "cveMetadata": {"cveId": "CVE-2025-71281", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:43:31.485Z", "dateReserved": "2026-04-01T00:19:58.851Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-01T00:30:10.890Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "matchCriteriaId": "5ADDC458-D5EB-4B70-9EE7-93C78E81EDBD", "versionEndExcluding": "2.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations."}, {"lang": "es", "value": "XenForo anterior a 2.3.7 no restringe adecuadamente los m\u00e9todos invocables desde dentro de las plantillas. Se utiliz\u00f3 una coincidencia de prefijo laxa en lugar de una coincidencia de primera palabra m\u00e1s estricta para los m\u00e9todos accesibles a trav\u00e9s de retrollamadas y llamadas a m\u00e9todos variables en las plantillas, lo que podr\u00eda permitir invocaciones de m\u00e9todos no autorizadas."}], "id": "CVE-2025-71281", "lastModified": "2026-04-01T18:52:54.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-01T01:16:40.590", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.3.7)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "XenForo", "source": "cna", "vendor": "XenForo"}, "product": "xenforo", "vendor": "xenforo"}], "analysis": {"en": {"generated_at": "2026-04-01T05:22:46.502054+00:00", "value": {"mitigation_remediation": ["Upgrade XenForo to version 2.3.7 or later to apply the fix for the template method call restriction.", "Audit existing templates for unsafe method calls and replace or remove them before upgrading if necessary.", "Restrict template editing rights to trusted administrators only and disable public editing to prevent malicious input until the update is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the XenForo forum software, specifically installations running any version before 2.3.7. Administrators of these sites, including custom\u2011template developers, are potentially vulnerable if they allow template editing by non\u2011trusted users or have exposed template files. The issue stems from the server\u2011side template rendering engine that processes user\u2011supplied content.", "description_and_impact": "A flaw in XenForo versions prior to 2.3.7 permits a call to methods from within templates without the stricter first-word check that should limit them. This omission lets an attacker invoke arbitrary functions that are normally protected, which can lead to code execution or other unauthorized actions. The weakness is a code injection issue identified as CWE\u201194, reflecting an improper validation of code that causes unintended functionality.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates a high severity, and the absence of an EPSS score or KEV listing suggests that exploitation is possible but no publicly confirmed exploits are documented. The likely attack vector is via crafting a template or post that includes a malicious method call, which would be processed on the server as part of rendering. Successful exploitation would grant the attacker elevated privileges or arbitrary code execution depending on the methods available in the environment."}}}}, "created": "2026-04-02T07:51:05.080075+00:00", "updated": "2026-04-02T20:09:44.527599+00:00", "vendors": ["xenforo", "xenforo$PRODUCT$xenforo"]}