Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/flarum/core@1.8.1

Type composer

Namespace flarum

Name core

Version 1.8.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.8.16

Latest_non_vulnerable_version 2.0.0-rc.1

Affected_by_vulnerabilities

url VCID-9cqz-xdsy-ayef

vulnerability_id VCID-9cqz-xdsy-ayef

summary Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. The vulnerability has been fixed and published as flarum/core v1.8.5. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-21641

reference_id

reference_type

scores

value	0.37939
scoring_system	epss
scoring_elements	0.97311
published_at	2026-06-11T12:55:00Z

value	0.37939
scoring_system	epss
scoring_elements	0.97319
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-21641

reference_url

https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176

reference_id

7d70328471cf3091d92d95c382d277aec7996176

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/

url

https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-21641

reference_id

CVE-2024-21641

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-21641

reference_url

https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a

reference_id

ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/

url

https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a

reference_url

https://github.com/advisories/GHSA-733r-8xcp-w9mr

reference_id

GHSA-733r-8xcp-w9mr

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-733r-8xcp-w9mr

reference_url

https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr

reference_id

GHSA-733r-8xcp-w9mr

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/

url

https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr

fixed_packages

url pkg:composer/flarum/core@1.8.5

purl pkg:composer/flarum/core@1.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vuey-qxzt-13be

vulnerability	VCID-xxse-e4ch-h3g1

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@1.8.5

aliases CVE-2024-21641, GHSA-733r-8xcp-w9mr

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9cqz-xdsy-ayef

url VCID-vuey-qxzt-13be

vulnerability_id VCID-vuey-qxzt-13be

summary Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-41887

reference_id

reference_type

scores

value	0.00015
scoring_system	epss
scoring_elements	0.03458
published_at	2026-06-11T12:55:00Z

value	0.00015
scoring_system	epss
scoring_elements	0.03472
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-41887

reference_url

https://github.com/flarum/framework

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flarum/framework

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-27577

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-27577

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-41887

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-41887

reference_url

https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410

reference_id

2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/

url

https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410

reference_url

https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw

reference_id

GHSA-vhm8-wwrf-3gcw

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw

reference_url

https://github.com/advisories/GHSA-xjvc-pw2r-6878

reference_id

GHSA-xjvc-pw2r-6878

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xjvc-pw2r-6878

reference_url

https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878

reference_id

GHSA-xjvc-pw2r-6878

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/

url

https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878

reference_url

https://github.com/flarum/framework/releases/tag/v1.8.16

reference_id

v1.8.16

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/

url

https://github.com/flarum/framework/releases/tag/v1.8.16

reference_url

https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1

reference_id

v2.0.0-rc.1

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/

url

https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1

fixed_packages

url	pkg:composer/flarum/core@1.8.16
purl	pkg:composer/flarum/core@1.8.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@1.8.16

url	pkg:composer/flarum/core@2.0.0-rc.1
purl	pkg:composer/flarum/core@2.0.0-rc.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@2.0.0-rc.1

aliases CVE-2026-41887, GHSA-xjvc-pw2r-6878

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vuey-qxzt-13be

url VCID-xxse-e4ch-h3g1

vulnerability_id VCID-xxse-e4ch-h3g1

summary Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. Key Constraints are that the attacker must control any subdomain under the parent domain (e.g., `evil.host.com` or `x.y.host.com`), and the parent domain must not be on the Public Suffix List. Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. Version 1.8.10 contains a patch for the issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-27794

reference_id

reference_type

scores

value	0.00377
scoring_system	epss
scoring_elements	0.59695
published_at	2026-06-11T12:55:00Z

value	0.00377
scoring_system	epss
scoring_elements	0.59803
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-27794

reference_url

https://github.com/flarum/framework

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flarum/framework

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-27794

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-27794

reference_url

https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402

reference_id

a05aaea3ee1e0a8b870935183193cd6052f1d402

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/

url

https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402

reference_url	https://github.com/advisories/GHSA-hg9j-64wp-m9px
reference_id	GHSA-hg9j-64wp-m9px
reference_type
scores
url	https://github.com/advisories/GHSA-hg9j-64wp-m9px

reference_url

https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px

reference_id

GHSA-hg9j-64wp-m9px

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/

url

https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px

reference_url

https://github.com/flarum/framework/releases/tag/v1.8.10

reference_id

v1.8.10

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/

url

https://github.com/flarum/framework/releases/tag/v1.8.10

fixed_packages

url pkg:composer/flarum/core@1.8.10

purl pkg:composer/flarum/core@1.8.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vuey-qxzt-13be

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@1.8.10

url pkg:composer/flarum/core@2.0.0-beta.1

purl pkg:composer/flarum/core@2.0.0-beta.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vuey-qxzt-13be

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@2.0.0-beta.1

aliases CVE-2025-27794, GHSA-hg9j-64wp-m9px

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xxse-e4ch-h3g1

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flarum/core@1.8.1

Package Instance