CVE-2025-71278HIGH 8.8EPSS p17.7%

CVE-2025-71278CVE-2025-71278

Description

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.27% probability of exploitation · percentile 17.7% · 2026-06-18T12:00:27Z
Published2026-04-01
Last modified2026-04-01

Underlying weaknesses· 1

CWE-863

References

  1. https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request
  2. https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-71281
CVE
CVE-2025-71279
CVE
CVE-2026-42682
CVE
CVE-2025-70810
CVE
CVE-2026-24968
CVE
CVE-2026-7198
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.