VulnerableCode Package Details - pkg:composer/flarum/core@1.8.4

Vulnerabilities affecting this package (3)

Vulnerability	Summary	Fixed by
VCID-akuy-drq1-hkap Aliases: CVE-2024-21641 GHSA-733r-8xcp-w9mr	Flarum's logout Route allows open redirects The Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: `example.com/logout?return=https://google.com`. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. Some ecosystem extensions modifying the logout route have already been affected. Sample: https://discuss.flarum.org/d/22229-premium-wordpress-integration/526	1.8.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jnjt-mna6-2qhe Aliases: CVE-2026-41887 GHSA-xjvc-pw2r-6878	Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) ## Summary Flarum's patch for [CVE-2023-27577](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) restricted the `@import` and `data-uri()` LESS features in the `custom_less` setting, but the same restriction was never applied to other settings registered as LESS config variables (for example `theme_primary_color` and `theme_secondary_color`, as well as any key registered via `Extend\Settings::registerLessConfigVar()`). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary `@import` directive into the compiled `forum.css`. Because the underlying LESS parser honours `@import (inline) '<path>'`, an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). ## Impact An attacker who has compromised — or legitimately obtained — an administrator account can: - Read arbitrary local files reachable by the PHP process (e.g. `/etc/passwd`, `.env`, config files containing database credentials, OAuth secrets, API keys). - Trigger outbound HTTP/HTTPS requests from the Flarum host, enabling SSRF against internal services and cloud metadata endpoints such as `http://169.254.169.254/` (AWS IMDSv1, GCP, Azure). The contents of the attacker-controlled import are embedded into the compiled `forum.css`, which is publicly served — so the attacker can retrieve whatever was read simply by fetching the CSS file. This is a privilege-escalation vulnerability: a forum administrator is not intended to have host-level file read or access to internal network resources. ### Example payload Submitted via `POST /api/settings` with an admin session: ```json { "theme_primary_color": "#4D698E;@import (inline) '/etc/passwd';" } ``` The setting is stored verbatim, interpolated into the LESS source on the next CSS compile, and the target file's contents appear in `/assets/forum.css`. ## Patches - `flarum/core` 1.8.16 — fix for the 1.x branch. - `flarum/core` 2.0.0-rc.1 — fix for the 2.x branch. The fix extends the existing `@import` / `data-uri()` validation in `Flarum\Forum\ValidateCustomLess::whenSettingsSaving` to every dirty setting whose key is registered as a LESS config variable, not just `custom_less`. ## Workarounds If upgrading is not immediately possible: - Ensure administrator accounts are protected with strong, unique passwords and (where supported) two-factor authentication. - Restrict administrator access to trusted users only. - Review the forum's public `forum.css` for unexpected content that could indicate prior exploitation. There is no configuration-level mitigation on affected versions — the fix requires the upgraded code. ## Resources - [CVE-2023-27577](https://nvd.nist.gov/vuln/detail/CVE-2023-27577) — the original vulnerability whose patch was incomplete. - [GHSA-vhm8-wwrf-3gcw](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) — the original advisory. ## Credit Reported to the Flarum Foundation by William (Liam) Snow IV ([@LiamSnow](https://github.com/LiamSnow)), discovered during a graduate-level network security lab at Worcester Polytechnic Institute.	1.8.16 Affected by 0 other vulnerabilities. 2.0.0-rc.1 Affected by 0 other vulnerabilities.
VCID-vthb-u9cs-ckak Aliases: CVE-2025-27794 GHSA-hg9j-64wp-m9px	Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite A session hijacking vulnerability exists when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. Key Constraints: - Attacker must control any subdomain under the parent domain (e.g., `evil.host.com` or `x.y.host.com`). - Parent domain must not be on the [Public Suffix List](https://publicsuffix.org/). Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. ---	1.8.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.0.0-beta.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-akuy-drq1-hkap
Aliases:
CVE-2024-21641
GHSA-733r-8xcp-w9mr

Flarum's logout Route allows open redirects The Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: `example.com/logout?return=https://google.com`. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. Some ecosystem extensions modifying the logout route have already been affected. Sample: https://discuss.flarum.org/d/22229-premium-wordpress-integration/526

1.8.5
Affected by 2 other vulnerabilities.

VCID-jnjt-mna6-2qhe
Aliases:
CVE-2026-41887
GHSA-xjvc-pw2r-6878

Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) ## Summary Flarum's patch for [CVE-2023-27577](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) restricted the `@import` and `data-uri()` LESS features in the `custom_less` setting, but the same restriction was never applied to other settings registered as LESS config variables (for example `theme_primary_color` and `theme_secondary_color`, as well as any key registered via `Extend\Settings::registerLessConfigVar()`). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary `@import` directive into the compiled `forum.css`. Because the underlying LESS parser honours `@import (inline) '<path>'`, an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). ## Impact An attacker who has compromised — or legitimately obtained — an administrator account can: - **Read arbitrary local files** reachable by the PHP process (e.g. `/etc/passwd`, `.env`, config files containing database credentials, OAuth secrets, API keys). - **Trigger outbound HTTP/HTTPS requests** from the Flarum host, enabling SSRF against internal services and cloud metadata endpoints such as `http://169.254.169.254/` (AWS IMDSv1, GCP, Azure). The contents of the attacker-controlled import are embedded into the compiled `forum.css`, which is publicly served — so the attacker can retrieve whatever was read simply by fetching the CSS file. This is a privilege-escalation vulnerability: a forum administrator is not intended to have host-level file read or access to internal network resources. ### Example payload Submitted via `POST /api/settings` with an admin session: ```json { "theme_primary_color": "#4D698E;@import (inline) '/etc/passwd';" } ``` The setting is stored verbatim, interpolated into the LESS source on the next CSS compile, and the target file's contents appear in `/assets/forum.css`. ## Patches - **`flarum/core` 1.8.16** — fix for the 1.x branch. - **`flarum/core` 2.0.0-rc.1** — fix for the 2.x branch. The fix extends the existing `@import` / `data-uri()` validation in `Flarum\Forum\ValidateCustomLess::whenSettingsSaving` to every dirty setting whose key is registered as a LESS config variable, not just `custom_less`. ## Workarounds If upgrading is not immediately possible: - Ensure administrator accounts are protected with strong, unique passwords and (where supported) two-factor authentication. - Restrict administrator access to trusted users only. - Review the forum's public `forum.css` for unexpected content that could indicate prior exploitation. There is no configuration-level mitigation on affected versions — the fix requires the upgraded code. ## Resources - [CVE-2023-27577](https://nvd.nist.gov/vuln/detail/CVE-2023-27577) — the original vulnerability whose patch was incomplete. - [GHSA-vhm8-wwrf-3gcw](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) — the original advisory. ## Credit Reported to the Flarum Foundation by **William (Liam) Snow IV** ([@LiamSnow](https://github.com/LiamSnow)), discovered during a graduate-level network security lab at Worcester Polytechnic Institute.

1.8.16
Affected by 0 other vulnerabilities.

2.0.0-rc.1
Affected by 0 other vulnerabilities.

VCID-vthb-u9cs-ckak
Aliases:
CVE-2025-27794
GHSA-hg9j-64wp-m9px

Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite A session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. **Key Constraints**: - Attacker must control **any subdomain** under the parent domain (e.g., `evil.host.com` or `x.y.host.com`). - Parent domain must **not** be on the [Public Suffix List](https://publicsuffix.org/). Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. ---

1.8.10
Affected by 1 other vulnerability.

2.0.0-beta.1
Affected by 1 other vulnerability.

Next non-vulnerable version	1.8.16
Latest non-vulnerable version	2.0.0-rc.1
Risk	3.1

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:15:12.554796+00:00	GitLab Importer	Affected by	VCID-jnjt-mna6-2qhe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/core/GHSA-xjvc-pw2r-6878.yml	38.6.0
2026-06-06T08:14:44.615545+00:00	GitLab Importer	Affected by	VCID-jnjt-mna6-2qhe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/core/CVE-2026-41887.yml	38.6.0
2026-06-06T05:42:07.230478+00:00	GitLab Importer	Affected by	VCID-vthb-u9cs-ckak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/core/CVE-2025-27794.yml	38.6.0
2026-06-06T04:30:01.749551+00:00	GitLab Importer	Affected by	VCID-akuy-drq1-hkap	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/core/CVE-2024-21641.yml	38.6.0