VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-jnjt-mna6-2qhe

Essentials
Severities (21)
References (10)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jnjt-mna6-2qhe
Aliases	CVE-2026-41887 GHSA-xjvc-pw2r-6878
Summary	Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) ## Summary Flarum's patch for [CVE-2023-27577](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) restricted the `@import` and `data-uri()` LESS features in the `custom_less` setting, but the same restriction was never applied to other settings registered as LESS config variables (for example `theme_primary_color` and `theme_secondary_color`, as well as any key registered via `Extend\Settings::registerLessConfigVar()`). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary `@import` directive into the compiled `forum.css`. Because the underlying LESS parser honours `@import (inline) '<path>'`, an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). ## Impact An attacker who has compromised — or legitimately obtained — an administrator account can: - Read arbitrary local files reachable by the PHP process (e.g. `/etc/passwd`, `.env`, config files containing database credentials, OAuth secrets, API keys). - Trigger outbound HTTP/HTTPS requests from the Flarum host, enabling SSRF against internal services and cloud metadata endpoints such as `http://169.254.169.254/` (AWS IMDSv1, GCP, Azure). The contents of the attacker-controlled import are embedded into the compiled `forum.css`, which is publicly served — so the attacker can retrieve whatever was read simply by fetching the CSS file. This is a privilege-escalation vulnerability: a forum administrator is not intended to have host-level file read or access to internal network resources. ### Example payload Submitted via `POST /api/settings` with an admin session: ```json { "theme_primary_color": "#4D698E;@import (inline) '/etc/passwd';" } ``` The setting is stored verbatim, interpolated into the LESS source on the next CSS compile, and the target file's contents appear in `/assets/forum.css`. ## Patches - `flarum/core` 1.8.16 — fix for the 1.x branch. - `flarum/core` 2.0.0-rc.1 — fix for the 2.x branch. The fix extends the existing `@import` / `data-uri()` validation in `Flarum\Forum\ValidateCustomLess::whenSettingsSaving` to every dirty setting whose key is registered as a LESS config variable, not just `custom_less`. ## Workarounds If upgrading is not immediately possible: - Ensure administrator accounts are protected with strong, unique passwords and (where supported) two-factor authentication. - Restrict administrator access to trusted users only. - Review the forum's public `forum.css` for unexpected content that could indicate prior exploitation. There is no configuration-level mitigation on affected versions — the fix requires the upgraded code. ## Resources - [CVE-2023-27577](https://nvd.nist.gov/vuln/detail/CVE-2023-27577) — the original vulnerability whose patch was incomplete. - [GHSA-vhm8-wwrf-3gcw](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) — the original advisory. ## Credit Reported to the Flarum Foundation by William (Liam) Snow IV ([@LiamSnow](https://github.com/LiamSnow)), discovered during a graduate-level network security lab at Worcester Polytechnic Institute.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-918	Server-Side Request Forgery (SSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2026-41887
cvssv3.1	4.9	https://github.com/flarum/framework
generic_textual	MODERATE	https://github.com/flarum/framework
cvssv3.1	4.9	https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410
generic_textual	MODERATE	https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410
ssvc	Track	https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410
cvssv3.1	4.9	https://github.com/flarum/framework/releases/tag/v1.8.16
generic_textual	MODERATE	https://github.com/flarum/framework/releases/tag/v1.8.16
ssvc	Track	https://github.com/flarum/framework/releases/tag/v1.8.16
cvssv3.1	4.9	https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1
generic_textual	MODERATE	https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1
ssvc	Track	https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1
cvssv3.1	4.9	https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw
generic_textual	MODERATE	https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw
cvssv3.1	4.9	https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878
generic_textual	MODERATE	https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878
ssvc	Track	https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878
cvssv3.1	4.9	https://nvd.nist.gov/vuln/detail/CVE-2023-27577
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-27577
cvssv3.1	4.9	https://nvd.nist.gov/vuln/detail/CVE-2026-41887
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-41887

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-41887
		https://github.com/flarum/framework
		https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410
		https://github.com/flarum/framework/releases/tag/v1.8.16
		https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1
		https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878
		https://nvd.nist.gov/vuln/detail/CVE-2026-41887
CVE-2023-27577		https://nvd.nist.gov/vuln/detail/CVE-2023-27577
GHSA-vhm8-wwrf-3gcw		https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw
GHSA-xjvc-pw2r-6878		https://github.com/advisories/GHSA-xjvc-pw2r-6878

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/flarum/framework

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/ Found at https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/flarum/framework/releases/tag/v1.8.16

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/ Found at https://github.com/flarum/framework/releases/tag/v1.8.16

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/ Found at https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T19:26:06Z/ Found at https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-27577

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41887

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.02797
EPSS Score	0.00014
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:52:09.840322+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xjvc-pw2r-6878/GHSA-xjvc-pw2r-6878.json	38.6.0