Method Call Restriction Bypass in XenForo by XenForo Limited
CVE-2025-71281

8.7HIGH

Key Information:

Vendor: Xen Projectforo
Status: Xen Projectforo
Vendor: CVE Published:; 1 April 2026

🔔 Create Xen Projectforo Vulnerability Alert

What is CVE-2025-71281?

XenForo versions prior to 2.3.7 exhibit a vulnerability where the method restrictions within templates are not adequately enforced. Instead of implementing a stringent first-word match for callable methods, the system uses a loose prefix match. This flaw may permit unauthorized invocations of methods through callbacks and variable method calls within templates, creating a potential security risk for users and their data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

XenForo 2.3.0 < 2.3.7

References

https://xenforo.com/community/threads/xenforo-2-3-7-relea...

vendor-advisorypatch

https://www.vulncheck.com/advisories/xenforo-template-met...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Cyanide

JSON

Xen Projectforo

What is CVE-2025-71281?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.