This occurred because:
1. Unparsed BB-Code exists in the output of the IMG tag (not sure why, but the alt attribute is always [/IMG]).
2. Unparsed BB-Codes are obfuscated from the template parser when discovering the boundaries between template arguments/parameters.
3. The values of template arguments must be the same before and after all templates are parsed to avoid a hash collision security vulnerability.
4. The reverse obfuscation of the template arguments is not the same as the obfuscated argument, so the values of those arguments are considered in violation of this security measure.
This only affected XenForo because this security measure is only needed in XenForo. This was fixed by ensuring that the security function compares the non-obfuscated versions of the argument on both sides of the comparison.
This bug was introduced by the following versions:
4.0.6 Patch Level 1
4.0.5 Patch Level 1
4.0.4 Patch Level 1
4.0.3 Patch Level 2
4.0.2 Patch Level 5
4.0.1 Patch Level 8
4.0.0 Patch Level 7
4.0.0 RC 5 Patch Level 6
4.0.0 RC 4 Patch Level 7