Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/84359?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/84359?format=api", "purl": "pkg:composer/flarum/core@1.8.10", "type": "composer", "namespace": "flarum", "name": "core", "version": "1.8.10", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.8.16", "latest_non_vulnerable_version": "2.0.0-rc.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89333?format=api", "vulnerability_id": "VCID-jnjt-mna6-2qhe", "summary": "Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)\n## Summary\n\nFlarum's patch for [CVE-2023-27577](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) restricted the `@import` and `data-uri()` LESS features in the `custom_less` setting, but the same restriction was never applied to other settings registered as LESS config variables (for example `theme_primary_color` and `theme_secondary_color`, as well as any key registered via `Extend\\Settings::registerLessConfigVar()`).\n\nThose values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary `@import` directive into the compiled `forum.css`. Because the underlying LESS parser honours `@import (inline) '<path>'`, an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery).\n\n## Impact\n\nAn attacker who has compromised — or legitimately obtained — an administrator account can:\n\n- **Read arbitrary local files** reachable by the PHP process (e.g. `/etc/passwd`, `.env`, config files containing database credentials, OAuth secrets, API keys).\n- **Trigger outbound HTTP/HTTPS requests** from the Flarum host, enabling SSRF against internal services and cloud metadata endpoints such as `http://169.254.169.254/` (AWS IMDSv1, GCP, Azure).\n\nThe contents of the attacker-controlled import are embedded into the compiled `forum.css`, which is publicly served — so the attacker can retrieve whatever was read simply by fetching the CSS file.\n\nThis is a privilege-escalation vulnerability: a forum administrator is not intended to have host-level file read or access to internal network resources.\n\n### Example payload\n\nSubmitted via `POST /api/settings` with an admin session:\n\n```json\n{ \"theme_primary_color\": \"#4D698E;@import (inline) '/etc/passwd';\" }\n```\n\nThe setting is stored verbatim, interpolated into the LESS source on the next CSS compile, and the target file's contents appear in `/assets/forum.css`.\n\n## Patches\n\n- **`flarum/core` 1.8.16** — fix for the 1.x branch.\n- **`flarum/core` 2.0.0-rc.1** — fix for the 2.x branch.\n\nThe fix extends the existing `@import` / `data-uri()` validation in `Flarum\\Forum\\ValidateCustomLess::whenSettingsSaving` to every dirty setting whose key is registered as a LESS config variable, not just `custom_less`.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n\n- Ensure administrator accounts are protected with strong, unique passwords and (where supported) two-factor authentication.\n- Restrict administrator access to trusted users only.\n- Review the forum's public `forum.css` for unexpected content that could indicate prior exploitation.\n\nThere is no configuration-level mitigation on affected versions — the fix requires the upgraded code.\n\n## Resources\n\n- [CVE-2023-27577](https://nvd.nist.gov/vuln/detail/CVE-2023-27577) — the original vulnerability whose patch was incomplete.\n- [GHSA-vhm8-wwrf-3gcw](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) — the original advisory.\n\n## Credit\n\nReported to the Flarum Foundation by **William (Liam) Snow IV** ([@LiamSnow](https://github.com/LiamSnow)), discovered during a graduate-level network security lab at Worcester Polytechnic Institute.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02749", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02802", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02797", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41887" }, { "reference_url": "https://github.com/flarum/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/flarum/framework" }, { "reference_url": "https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/" } ], "url": "https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410" }, { "reference_url": "https://github.com/flarum/framework/releases/tag/v1.8.16", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/" } ], "url": "https://github.com/flarum/framework/releases/tag/v1.8.16" }, { "reference_url": "https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/" } ], "url": "https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1" }, { "reference_url": "https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/" } ], "url": "https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41887", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41887" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27577", "reference_id": "CVE-2023-27577", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27577" }, { "reference_url": "https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw", "reference_id": "GHSA-vhm8-wwrf-3gcw", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw" }, { "reference_url": "https://github.com/advisories/GHSA-xjvc-pw2r-6878", "reference_id": "GHSA-xjvc-pw2r-6878", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xjvc-pw2r-6878" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110446?format=api", "purl": "pkg:composer/flarum/core@1.8.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@1.8.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/110448?format=api", "purl": "pkg:composer/flarum/core@2.0.0-rc.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@2.0.0-rc.1" } ], "aliases": [ "CVE-2026-41887", "GHSA-xjvc-pw2r-6878" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jnjt-mna6-2qhe" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56795?format=api", "vulnerability_id": "VCID-vthb-u9cs-ckak", "summary": "Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite\nA session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication.\n\n**Key Constraints**:\n- Attacker must control **any subdomain** under the parent domain (e.g., `evil.host.com` or `x.y.host.com`).\n- Parent domain must **not** be on the [Public Suffix List](https://publicsuffix.org/).\n\nDue to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27794", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59628", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59638", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59635", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27794" }, { "reference_url": "https://github.com/flarum/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/flarum/framework" }, { "reference_url": "https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/" } ], "url": "https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402" }, { "reference_url": "https://github.com/flarum/framework/releases/tag/v1.8.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/" } ], "url": "https://github.com/flarum/framework/releases/tag/v1.8.10" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27794", "reference_id": "CVE-2025-27794", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27794" }, { "reference_url": "https://github.com/advisories/GHSA-hg9j-64wp-m9px", "reference_id": "GHSA-hg9j-64wp-m9px", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hg9j-64wp-m9px" }, { "reference_url": "https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px", "reference_id": "GHSA-hg9j-64wp-m9px", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/" } ], "url": "https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84359?format=api", "purl": "pkg:composer/flarum/core@1.8.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jnjt-mna6-2qhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@1.8.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/807713?format=api", "purl": "pkg:composer/flarum/core@2.0.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jnjt-mna6-2qhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@2.0.0-beta.1" } ], "aliases": [ "CVE-2025-27794", "GHSA-hg9j-64wp-m9px" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vthb-u9cs-ckak" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@1.8.10" }