- Joined
- Oct 27, 2025
- Messages
- 352
XenForo 2.3.7 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.
In addition to the usual fixes and improvements, XenForo 2.3.7 also includes a critical security fix to ensure the security of Passkeys that have been added to your account. We'd very much like to thank Jai Niresh J for reporting this issue via Eric and team at Hypixel Inc.. Between them they also reported a less severe issue related to local account page caching on shared systems.
This version also tightens up the kinds of methods that can be called from within templates, evolving from a loose "prefix" match to a stricter "first word" match of methods that can be called through callbacks and variable method calls. This fix is courtesy of Cyanide who we extend huge thanks to in taking the time to report this to us.
We'd also like to take this opportunity to notify all third party developers that writing database queries inside templates is not recommended. While this is still allowed in XenForo 2.3.7, the behaviour is now considered deprecated and will be prevented in XenForo 2.3.8. Code which currently triggers this will insert an error into the Server error log and must be fixed prior to the release of XenForo 2.3.8. Where possible, data must be queried and processed and passed into the template rather than being written inside the template itself.
Finally, we'd like to thank TickTackk for reporting a path disclosure issue in exceptions thrown due to open_basedir restrictions.
Some of the changes in XF 2.3.7 include:
The following are minimum requirements:
In addition to the usual fixes and improvements, XenForo 2.3.7 also includes a critical security fix to ensure the security of Passkeys that have been added to your account. We'd very much like to thank Jai Niresh J for reporting this issue via Eric and team at Hypixel Inc.. Between them they also reported a less severe issue related to local account page caching on shared systems.
This version also tightens up the kinds of methods that can be called from within templates, evolving from a loose "prefix" match to a stricter "first word" match of methods that can be called through callbacks and variable method calls. This fix is courtesy of Cyanide who we extend huge thanks to in taking the time to report this to us.
We'd also like to take this opportunity to notify all third party developers that writing database queries inside templates is not recommended. While this is still allowed in XenForo 2.3.7, the behaviour is now considered deprecated and will be prevented in XenForo 2.3.8. Code which currently triggers this will insert an error into the Server error log and must be fixed prior to the release of XenForo 2.3.8. Where possible, data must be queried and processed and passed into the template rather than being written inside the template itself.
Finally, we'd like to thank TickTackk for reporting a path disclosure issue in exceptions thrown due to open_basedir restrictions.
Some of the changes in XF 2.3.7 include:
- Escape select input option labels
- Improve supported EXIF data when client-side image resizing is enabled
- Allow fetching forum prefixes even without node permissions
- Normalize entity manager repository cache keys
- Fix IPv6 binary to string expansion
- Fix appearance of member tooltip on recent Safari versions
- Use text structured data field for DiscussionForumPosting content
- Require confirmation for linking connected accounts
- Suppress logging of normal connected account exceptions
- Clear site cache data when logging out
- Move XF.SolutionEditClick into action.js to resolve dependency issues
- Fix carousel margin on RTL languages
- Expand global email template parameters
- Adjust wording of account approval phrases
- Improve typing of repository find methods
- Fix issue with missing verbosity when casting collections to webhook results.
- Avoid logging errors when IndexNow is having intermittent issues
- Delete related user alerts when a trophy is deleted
- Add support for viewing and revoking a user's authorised applications from the admin panel
- Handle nulls and empty-evaluated strings properly
- Detect Google Inspection Tool crawler
- No longer create user fields by default during install.
- Fix manual video thumbnail generation on iOS
- Remove legacy Imagick GIF optimization technique
- Display search suggestions properly when results contain guest content
- Fix lift ban link on ban edit page
- Render all activity summary display values in the user language
- Set default Accept-Language header in outgoing HTTP requests
- Allow overriding avatar usernames when a user is specified
- Fix generated entity type hints for JSON columns
- carousel.less
- connected_account_macros
- core_datalist.less
- featured_content_item
- member_ban_edit
- member_tooltip.less
- message.less
- post_macros
- register_connected_account_confirm
- style_variation_macros
- whats_new_wrapper
The following are minimum requirements:
- PHP 7.2 or newer (PHP 8.3 recommended)
- MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.3.
- Enhanced Search requires at least Elasticsearch 7.2.
![[XenCustomize] Testimonials: Client Feedback & Reviews Manager](https://xenforoleaks.net/data/attachments/0/507-4b08676c2c7153d93bf070ff26bb6ba4.jpg?hash=-_OHL4YQc0){kind=small}