CVE-2026-41887— Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41887
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Flarum 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Flarum是Flarum开源的一个用于构建社区的简单论坛软件。 Flarum 1.8.16之前版本和2.0.0-rc.1之前版本存在路径遍历漏洞,该漏洞源于对LESS配置变量值未进行限制,可能导致任意文件包含或服务端请求伪造。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41887
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41887
请登录查看更多情报信息。
- Release v1.8.16 · flarum/framework · GitHubx_refsource_MISC
- Release v2.0.0-rc.1 · flarum/framework · GitHubx_refsource_MISC
- Merge commit from fork · flarum/framework@2d90a1f · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-41887
IV. Related Vulnerabilities
Same product: framework
- CVE-2025-67722
Authenticated amportal search for ‘freepbx_engine’ in non ro - CVE-2025-66039
FreePBX Endpoint Manager Allows Unauthenticated Logins to Ad - CVE-2025-59056
FreePBX vulnerable to unauthenticated Denial of Service - CVE-2025-55211
FreePBX Post-Authenticated Command Injection - CVE-2025-3590
Adianti Framework deserialization
Same vendor: flarum
- CVE-2026-30913
flarum/nickname: Display name injection in notification emai - CVE-2024-58303
FoF Pretty Mail 1.1.2 Server Side Template Injection via Ema - CVE-2024-58302
FoF Pretty Mail 1.1.2 Local File Inclusion via Email Templat - CVE-2025-27794
Flarum Vulnerable to Session Hijacking via Authoritative Sub - CVE-2024-21641
Flarum's Logout Route allows open redirects
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2026-41887
No comments yet