Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-akuy-drq1-hkap
Vulnerability ID VCID-akuy-drq1-hkap
Aliases CVE-2024-21641
GHSA-733r-8xcp-w9mr
Summary Flarum's logout Route allows open redirects The Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: `example.com/logout?return=https://google.com`. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. Some ecosystem extensions modifying the logout route have already been affected. Sample: https://discuss.flarum.org/d/22229-premium-wordpress-integration/526
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.39082 https://api.first.org/data/v1/epss?cve=CVE-2024-21641
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-733r-8xcp-w9mr
cvssv3.1 6.5 https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a
generic_textual MODERATE https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a
ssvc Track https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a
cvssv3.1 6.5 https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176
generic_textual MODERATE https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176
ssvc Track https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176
cvssv3.1 6.5 https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr
cvssv3.1_qr MODERATE https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr
generic_textual MODERATE https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr
ssvc Track https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2024-21641
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-21641
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-21641
https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a
https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176
CVE-2024-21641 https://nvd.nist.gov/vuln/detail/CVE-2024-21641
GHSA-733r-8xcp-w9mr https://github.com/advisories/GHSA-733r-8xcp-w9mr
GHSA-733r-8xcp-w9mr https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/ Found at https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/ Found at https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/ Found at https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-21641
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.9736
EPSS Score 0.39082
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:46:47.975083+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/flarum/framework/CVE-2024-21641.yml 38.6.0