flarum

Top products

The 15 most recently published vulnerabilities affecting flarum.

• CVE-2026-41887Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)4.9May 8, 2026
• CVE-2026-30913flarum/nickname: Display name injection in notification emails (autolink & markdown)4.6Mar 9, 2026
• CVE-2025-27794Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite6.8Mar 12, 2025
• CVE-2024-21641Flarum's Logout Route allows open redirects6.5Jan 5, 2024
• CVE-2023-40033Server-Side Request Forgery via Avatar upload in flarum7.1Aug 16, 2023
• CVE-2023-27577Path Traversal Vulnerability in `LESS` Parser allows reading of sensitive server files in flarum6.6Mar 10, 2023
• CVE-2023-22489Flarum is missing authorization in discussion replies3.5Jan 13, 2023
• CVE-2023-22488Missing authorization in Flarum6.8Jan 12, 2023
• CVE-2023-22487Post mentions can be used to read any post on the forum without access control7.7Jan 11, 2023
• CVE-2022-41938Cross site scripting vulnerability with discussion titles in flarum9.0Nov 19, 2022
• CVE-2021-32671XSS vulnerability with translator10.0Jun 7, 2021
• CVE-2021-21283XSS in Flarum Sticky extension.5.4Jan 26, 2021
• CVE-2019-13183Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.8.8Jul 7, 2019
• CVE-2019-11514User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens.7.5Apr 25, 2019
• CVE-2018-19133In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address.5.3Nov 9, 2018