flarum/core
Packagist9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting flarum/corepage 1 of 1
- CVE-2021-32671CRITICALCVSS 10.0EG 10.0✓ Fixed in 1.0.22021-06-07
vulnerable: v1.0.0, v1.0.1
Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made after v0.1.0-beta.16 (our last beta before v1.0.0) and was n…
- CVE-2022-41938CRITICALCVSS 9.0EG 9.0✓ Fixed in 1.6.22022-11-19
vulnerable: v1.5.0, v1.6.0, v1.6.1
Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed. This allowed an attacker t…
- CVE-2023-22488MEDIUMCVSS 6.8EG 6.8✓ Fixed in 1.6.32023-01-12
vulnerable: v0.1.0-beta ... v1.6.2 (39 versions)
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not che…
- CVE-2023-22489LOWCVSS 3.5EG 3.5✓ Fixed in 1.6.32023-01-13
vulnerable: v1.3.0 ... v1.6.2 (8 versions)
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the re…
- CVE-2023-27577MEDIUMCVSS 6.6EG 6.6✓ Fixed in 1.7.02023-03-10
vulnerable: v0.1.0-beta ... v1.6.3 (40 versions)
flarum is a forum software package for building communities. In versions prior to 1.7.0 an admin account which has already been compromised by an attacker may use a vulnerability in the `LESS` parser which can be exploited to read sensitiv…
- CVE-2023-40033HIGHCVSS 7.1EG 7.1✓ Fixed in 1.8.02023-08-16
vulnerable: v0.1.0-beta ... v1.7.2 (43 versions)
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any F…
- CVE-2024-21641MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.8.52024-01-05
vulnerable: v0.1.0-beta ... v1.8.4 (48 versions)
Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redire…
- CVE-2025-27794MEDIUMCVSS 6.8EG 6.8✓ Fixed in 1.8.102025-03-12
vulnerable: v0.1.0-beta ... v1.8.9 (53 versions)
Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the pa…
- CVE-2026-41887MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.0.0-rc.12026-05-08
vulnerable: v2.0.0-beta.1 ... v2.0.0-beta.8 (8 versions)
Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to …
Check whether flarum/core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for flarum/core CVEs against the assets you own.
Start Free Scan →