CVE-2025-71282— XenForo Path Disclosure via open_basedir Exceptions
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-71282
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XenForo Path Disclosure via open_basedir Exceptions
Source: NVD (National Vulnerability Database)
Vulnerability Description
XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过错误消息导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Xenforo 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Xenforo是Xenforo公司的一个论坛软件。 XenForo 2.3.7之前版本存在安全漏洞,该漏洞源于通过open_basedir限制触发的异常消息泄露文件系统路径,可能导致攻击者获取服务器目录结构信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-71282
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-71282
请登录查看更多情报信息。
Same Patch Batch · XenForo · 2026-04-01 · 10 CVEs total
| CVE-2025-71279 | 9.8 CRITICAL | XenForo Passkey Security Bypass |
| CVE-2025-71281 | 8.8 HIGH | XenForo Template Method Call Restriction Bypass |
| CVE-2025-71278 | 8.8 HIGH | XenForo OAuth2 Unauthorized Scope Request |
| CVE-2026-35056 | 7.2 HIGH | XenForo Remote Code Execution via Authenticated Admin |
| CVE-2026-35054 | 6.4 MEDIUM | XenForo Stored Cross-Site Scripting via BB Code Rendering |
| CVE-2026-35057 | 6.4 MEDIUM | XenForo Stored Cross-Site Scripting via Structured Text Mentions |
| CVE-2024-58342 | 6.3 MEDIUM | XenForo Open Redirect via getDynamicRedirect |
| CVE-2025-71280 | 6.2 MEDIUM | XenForo Local Account Page Caching Information Disclosure |
| CVE-2026-35055 | 6.1 MEDIUM | XenForo Cross-Site Scripting via Lightbox in Posts |
IV. Related Vulnerabilities
Same product: XenForo
- CVE-2026-35057
XenForo Stored Cross-Site Scripting via Structured Text Ment - CVE-2026-35056
XenForo Remote Code Execution via Authenticated Admin - CVE-2026-35055
XenForo Cross-Site Scripting via Lightbox in Posts - CVE-2026-35054
XenForo Stored Cross-Site Scripting via BB Code Rendering - CVE-2025-71281
XenForo Template Method Call Restriction Bypass
Same vendor: XenForo
- CVE-2026-35057
XenForo Stored Cross-Site Scripting via Structured Text Ment - CVE-2026-35056
XenForo Remote Code Execution via Authenticated Admin - CVE-2026-35055
XenForo Cross-Site Scripting via Lightbox in Posts - CVE-2026-35054
XenForo Stored Cross-Site Scripting via BB Code Rendering - CVE-2025-71281
XenForo Template Method Call Restriction Bypass
Same weakness: CWE-209
- CVE-2026-41644
monetr is vulnerable to server-side request forgery in Lunch - CVE-2025-31960
HCL BigFix Service Management (SM) is vulnerable to informat - CVE-2025-59853
HCL DFXAnalytics is affected by an Improper Error Handling v - CVE-2026-40969
Spring gRPC AuthenticationException message reflected to rem - CVE-2026-3259
Sensitive Data Disclosure in BigQuery via Materialized View
V. Comments for CVE-2025-71282
No comments yet