Search for packages
| purl | pkg:composer/flarum/framework@1.8.2 |
| Next non-vulnerable version | 1.8.10 |
| Latest non-vulnerable version | 2.0.0-beta.1 |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-akuy-drq1-hkap
Aliases: CVE-2024-21641 GHSA-733r-8xcp-w9mr |
Flarum's logout Route allows open redirects The Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: `example.com/logout?return=https://google.com`. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. Some ecosystem extensions modifying the logout route have already been affected. Sample: https://discuss.flarum.org/d/22229-premium-wordpress-integration/526 |
Affected by 1 other vulnerability. |
|
VCID-vthb-u9cs-ckak
Aliases: CVE-2025-27794 GHSA-hg9j-64wp-m9px |
Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite A session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. **Key Constraints**: - Attacker must control **any subdomain** under the parent domain (e.g., `evil.host.com` or `x.y.host.com`). - Parent domain must **not** be on the [Public Suffix List](https://publicsuffix.org/). Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. --- |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T05:42:09.948470+00:00 | GitLab Importer | Affected by | VCID-vthb-u9cs-ckak | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/framework/CVE-2025-27794.yml | 38.6.0 |
| 2026-06-06T04:29:59.581058+00:00 | GitLab Importer | Affected by | VCID-akuy-drq1-hkap | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/framework/CVE-2024-21641.yml | 38.6.0 |