Flarum Core vulnerabilities
8 known vulnerabilities affecting flarum/core.
Total CVEs
8
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM4LOW1
Vulnerabilities
Page 1 of 1
CVE-2021-32671P2CRITICALCVSS 10.0v>= 1.0.0, < 1.0.22021-06-07
CVE-2021-32671 [CRITICAL] CWE-79 CVE-2021-32671: Flarum is a forum software for building communities. Flarum's translation system allowed for string
Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made after v0.1.0-beta.16 (our last beta before v1.0.0) and was not noticed or documented. This allowed for any user to type malicious HTML markup within certain user input fiel
ghsanvdosv
CVE-2024-21641P4MEDIUMPoC≥ 0, < 1.8.52024-01-05
CVE-2024-21641 [MEDIUM] CWE-601 Flarum's logout Route allows open redirects
Flarum's logout Route allows open redirects
### Impact
The Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: `example.com/logout?return=https://google.com`. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a
ghsaosv
CVE-2023-40033P3HIGH≥ 0, < 1.8.02023-08-16
CVE-2023-40033 [HIGH] CWE-918 Flarum vulnerable to LFI and Blind SSRF via Avatar upload
Flarum vulnerable to LFI and Blind SSRF via Avatar upload
## Impact
The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The
ghsaosv
CVE-2025-27794P3MEDIUM≥ 0, < 1.8.102025-03-12
CVE-2025-27794 [MEDIUM] CWE-74 Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
## **Summary**
A session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomai
ghsaosv
CVE-2023-22488P4MEDIUM≥ 0, < 1.6.32023-01-10
CVE-2023-22488 [MEDIUM] CWE-862 Flarum notifications can leak restricted content
Flarum notifications can leak restricted content
Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content.
The notification-sending component does not check that the subject of the notification can be seen by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as
ghsaosv
CVE-2023-27577P4MEDIUMCVSS 4.9≥ 0, < 1.7.02023-03-13
CVE-2023-27577 [MEDIUM] CWE-22 Path Traversal Vulnerability in `LESS` Parser allows reading of sensitive server files
Path Traversal Vulnerability in `LESS` Parser allows reading of sensitive server files
### Impact
If an admin account has already been compromised by an attacker, the `LESS` parser can be exploited to read sensitive files on the server through the use of path traversal techniques.
An attacker can achieve this by providing an absolute path to a sensitive file in the custom `LESS
ghsaosv
CVE-2022-41938P4CRITICAL≥ 1.5.0, < 1.6.22022-11-21
CVE-2022-41938 [CRITICAL] CWE-79 Cross site scripting vulnerability with discussion titles
Cross site scripting vulnerability with discussion titles
Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed.
This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor op
ghsaosv
CVE-2023-22489P4LOW≥ 1.3.0, < 1.6.32023-01-10
CVE-2023-22489 [LOW] CWE-862 Any Flarum user including unactivated can reply in public discussions whose first post was permanently deleted
Any Flarum user including unactivated can reply in public discussions whose first post was permanently deleted
If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status.
This includes users tha
ghsaosv