{"url":"http://public2.vulnerablecode.io/api/packages/1023658?format=json","purl":"pkg:composer/flarum/core@2.0.0-beta.4","type":"composer","namespace":"flarum","name":"core","version":"2.0.0-beta.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.0-rc.1","latest_non_vulnerable_version":"2.0.0-rc.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81005?format=json","vulnerability_id":"VCID-vuey-qxzt-13be","summary":"Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41887","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03458","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41887"},{"reference_url":"https://github.com/flarum/framework","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/flarum/framework"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27577","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27577"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41887","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41887"},{"reference_url":"https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410","reference_id":"2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/"}],"url":"https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410"},{"reference_url":"https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw","reference_id":"GHSA-vhm8-wwrf-3gcw","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw"},{"reference_url":"https://github.com/advisories/GHSA-xjvc-pw2r-6878","reference_id":"GHSA-xjvc-pw2r-6878","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xjvc-pw2r-6878"},{"reference_url":"https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878","reference_id":"GHSA-xjvc-pw2r-6878","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/"}],"url":"https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878"},{"reference_url":"https://github.com/flarum/framework/releases/tag/v1.8.16","reference_id":"v1.8.16","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/"}],"url":"https://github.com/flarum/framework/releases/tag/v1.8.16"},{"reference_url":"https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1","reference_id":"v2.0.0-rc.1","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/"}],"url":"https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373634?format=json","purl":"pkg:composer/flarum/core@2.0.0-rc.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@2.0.0-rc.1"}],"aliases":["CVE-2026-41887","GHSA-xjvc-pw2r-6878"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vuey-qxzt-13be"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@2.0.0-beta.4"}