VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-1dh3-wkp4-8kdm

Essentials
Severities (21)
References (7)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-1dh3-wkp4-8kdm
Aliases	CVE-2022-41938 GHSA-7x4w-j98p-854x
Summary	Cross site scripting vulnerability with discussion titles Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. ### Impact All communities running Flarum from `v1.5.0` to `v1.6.1` are impacted. ### Patches The vulnerability has been fixed and published as flarum/core `v1.6.2`. All communities running Flarum from `v1.5.0` to `v1.6.1` have to upgrade as soon as possible to v1.6.2 using: ``` composer update --prefer-dist --no-dev -a -W ``` You can then confirm you run the latest version using: ``` composer show flarum/core ``` ### Workarounds None ### For more information For any questions or comments on this vulnerability please visit https://discuss.flarum.org/d/27558. For support questions create a discussion at https://discuss.flarum.org/t/support. A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing [security@flarum.org](mailto:security@flarum.org), and we will address it promptly.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.01102	https://api.first.org/data/v1/epss?cve=CVE-2022-41938
epss	0.01102	https://api.first.org/data/v1/epss?cve=CVE-2022-41938
epss	0.01102	https://api.first.org/data/v1/epss?cve=CVE-2022-41938
cvssv3.1	9	https://discuss.flarum.org/d/27558
cvssv3.1	9.0	https://discuss.flarum.org/d/27558
generic_textual	CRITICAL	https://discuss.flarum.org/d/27558
ssvc	Track	https://discuss.flarum.org/d/27558
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-7x4w-j98p-854x
cvssv3.1	9.0	https://github.com/flarum/framework
generic_textual	CRITICAL	https://github.com/flarum/framework
cvssv3.1	9	https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138
cvssv3.1	9.0	https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138
generic_textual	CRITICAL	https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138
ssvc	Track	https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138
cvssv3.1	9	https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x
cvssv3.1	9.0	https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x
cvssv3.1_qr	CRITICAL	https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x
generic_textual	CRITICAL	https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x
ssvc	Track	https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x
cvssv3.1	9.0	https://nvd.nist.gov/vuln/detail/CVE-2022-41938
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2022-41938

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-41938
		https://discuss.flarum.org/d/27558
		https://github.com/flarum/framework
		https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138
		https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x
		https://nvd.nist.gov/vuln/detail/CVE-2022-41938
GHSA-7x4w-j98p-854x		https://github.com/advisories/GHSA-7x4w-j98p-854x

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://discuss.flarum.org/d/27558

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://discuss.flarum.org/d/27558

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:46:38Z/ Found at https://discuss.flarum.org/d/27558

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/flarum/framework

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:46:38Z/ Found at https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:46:38Z/ Found at https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41938

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.78397
EPSS Score	0.01102
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T17:52:52.825016+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-7x4w-j98p-854x/GHSA-7x4w-j98p-854x.json	38.6.0