Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Flarum — Vulnerabilities & Security Advisories 14

Browse all 14 CVE security advisories affecting Flarum. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Flarum serves as a lightweight, extensible discussion forum platform primarily used for community engagement and knowledge sharing. Historically, it has been susceptible to multiple remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from improper input validation and insufficient access controls. While no major public security incidents have been widely documented, the platform's 13 recorded CVEs highlight ongoing security concerns, particularly around its extension ecosystem and user permission management. Regular updates and careful configuration remain critical for maintaining secure deployments, as the software's modular architecture introduces potential attack surfaces that require continuous monitoring and patching.

Top products by Flarum: framework FriendsofFlarum Pretty Mail sticky core nicknames
CVE IDTitleCVSSSeverityPublished
CVE-2026-41887 Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) — frameworkCWE-22 4.9 Medium2026-05-08
CVE-2026-30913 flarum/nickname: Display name injection in notification emails (autolink & markdown) — nicknamesCWE-79 4.6 Medium2026-03-09
CVE-2024-58303 FoF Pretty Mail 1.1.2 Server Side Template Injection via Email Template Settings — FriendsofFlarum Pretty MailCWE-1336 7.2AIHighAI2025-12-11
CVE-2024-58302 FoF Pretty Mail 1.1.2 Local File Inclusion via Email Template Settings — FriendsofFlarum Pretty MailCWE-98 4.9AIMediumAI2025-12-11
CVE-2025-27794 Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite — frameworkCWE-74 6.8 Medium2025-03-12
CVE-2024-21641 Flarum's Logout Route allows open redirects — frameworkCWE-601 6.5 Medium2024-01-05
CVE-2023-40033 Server-Side Request Forgery via Avatar upload in flarum — frameworkCWE-918 7.1 High2023-08-16
CVE-2023-27577 Path Traversal Vulnerability in `LESS` Parser allows reading of sensitive server files in flarum — frameworkCWE-22 6.6 Medium2023-03-10
CVE-2023-22489 Flarum is missing authorization in discussion replies — frameworkCWE-862 3.5 Low2023-01-13
CVE-2023-22488 Missing authorization in Flarum — frameworkCWE-862 6.8 Medium2023-01-12
CVE-2023-22487 Post mentions can be used to read any post on the forum without access control — frameworkCWE-284 7.7 High2023-01-11
CVE-2022-41938 Cross site scripting vulnerability with discussion titles in flarum — frameworkCWE-79 9.0 Critical2022-11-19
CVE-2021-32671 XSS vulnerability with translator — coreCWE-79 10.0 Critical2021-06-07
CVE-2021-21283 XSS in Flarum Sticky extension. — stickyCWE-79 5.4 Medium2021-01-26

This page lists every published CVE security advisory associated with Flarum. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.