Search for packages
| purl | pkg:composer/flarum/framework@0.1.0-beta.10 |
| Next non-vulnerable version | 1.8.10 |
| Latest non-vulnerable version | 2.0.0-beta.1 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-akuy-drq1-hkap
Aliases: CVE-2024-21641 GHSA-733r-8xcp-w9mr |
Flarum's logout Route allows open redirects The Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: `example.com/logout?return=https://google.com`. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. Some ecosystem extensions modifying the logout route have already been affected. Sample: https://discuss.flarum.org/d/22229-premium-wordpress-integration/526 |
Affected by 1 other vulnerability. |
|
VCID-vthb-u9cs-ckak
Aliases: CVE-2025-27794 GHSA-hg9j-64wp-m9px |
Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite A session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. **Key Constraints**: - Attacker must control **any subdomain** under the parent domain (e.g., `evil.host.com` or `x.y.host.com`). - Parent domain must **not** be on the [Public Suffix List](https://publicsuffix.org/). Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. --- |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yapt-ka6b-f3ba
Aliases: CVE-2023-40033 GHSA-67c6-q4j4-hccg |
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack. This has been patched in Flarum version 1.8.0. Users are advised to upgrade. Users unable to upgrade may disable PHP's `allow_url_fopen` which will prevent the fetching of external files via URLs as a temporary workaround for the SSRF aspect of the vulnerability. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T05:42:09.810479+00:00 | GitLab Importer | Affected by | VCID-vthb-u9cs-ckak | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/framework/CVE-2025-27794.yml | 38.6.0 |
| 2026-06-06T04:29:59.447926+00:00 | GitLab Importer | Affected by | VCID-akuy-drq1-hkap | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/framework/CVE-2024-21641.yml | 38.6.0 |
| 2026-06-06T04:02:39.620278+00:00 | GitLab Importer | Affected by | VCID-yapt-ka6b-f3ba | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/framework/CVE-2023-40033.yml | 38.6.0 |