CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27794 – Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
https://notcve.org/view.php?id=CVE-2025-27794
12 Mar 2025 — Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. Key Constraints are that the attacker must control any subdomain under the pare... • https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21641 – Flarum's Logout Route allows open redirects
https://notcve.org/view.php?id=CVE-2024-21641
05 Jan 2024 — Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. • https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40033 – Server-Side Request Forgery via Avatar upload in flarum
https://notcve.org/view.php?id=CVE-2023-40033
16 Aug 2023 — Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied fi... • https://github.com/flarum/framework/commit/d1059c1cc79fe61f9538f3da55e8f42abbede570 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27577 – Path Traversal Vulnerability in `LESS` Parser allows reading of sensitive server files in flarum
https://notcve.org/view.php?id=CVE-2023-27577
10 Mar 2023 — flarum is a forum software package for building communities. In versions prior to 1.7.0 an admin account which has already been compromised by an attacker may use a vulnerability in the `LESS` parser which can be exploited to read sensitive files on the server through the use of path traversal techniques. An attacker can achieve this by providing an absolute path to a sensitive file in the custom `LESS` setting, which the `LESS` parser will then read. For example, an attacker could use the following code to... • https://github.com/flarum/framework/commit/1761660c98ea5a3e9665fb8e6041d1f2ee62a444 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22489 – Flarum is missing authorization in discussion replies
https://notcve.org/view.php?id=CVE-2023-22489
13 Jan 2023 — Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This happens because when the first post of a discus... • https://github.com/flarum/framework/commit/12f14112a0ecd1484d97330b82beb2a145919015 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22488 – Missing authorization in Flarum
https://notcve.org/view.php?id=CVE-2023-22488
12 Jan 2023 — Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out. This means... • https://github.com/flarum/framework/commit/d0a2b95dca57d3dae9a0d77b610b1cb1d0b1766a • CWE-862: Missing Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22487 – Post mentions can be used to read any post on the forum without access control
https://notcve.org/view.php?id=CVE-2023-22487
11 Jan 2023 — Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special `@"
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41938 – Cross site scripting vulnerability with discussion titles in flarum
https://notcve.org/view.php?id=CVE-2022-41938
19 Nov 2022 — Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. • https://discuss.flarum.org/d/27558 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 3%CPEs: 2EXPL: 0CVE-2021-32671 – XSS vulnerability with translator
https://notcve.org/view.php?id=CVE-2021-32671
07 Jun 2021 — Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made after v0.1.0-beta.16 (our last beta before v1.0.0) and was not noticed or documented. This allowed for any user to type malicious HTML markup within certain user input fields and have this execute on client browsers. The example which led to the discovery of this vulnerability was in the forum search box. • https://github.com/flarum/core/commit/440bed81b8019dff00642c8f493b4909d505a28a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21283 – XSS in Flarum Sticky extension.
https://notcve.org/view.php?id=CVE-2021-21283
26 Jan 2021 — Flarum is an open source discussion platform for websites. The "Flarum Sticky" extension versions 0.1.0-beta.14 and 0.1.0-beta.15 has a cross-site scripting vulnerability. A change in release beta 14 of the Sticky extension caused the plain text content of the first post of a pinned discussion to be injected as HTML on the discussion list. The issue was discovered following an internal audit. Any HTML would be injected through the m.trust() helper. • https://discuss.flarum.org/d/26042-security-update-to-flarum-sticky-010-beta151%29 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •