Critical severityNVD Advisory· Published Nov 19, 2022· Updated Apr 23, 2025

Cross site scripting vulnerability with discussion titles in flarum

CVE-2022-41938

Description

Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after v1.5 and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. All communities running Flarum from v1.5.0 to v1.6.1 are impacted. The vulnerability has been fixed and published as flarum/core v1.6.2. All communities running Flarum from v1.5.0 to v1.6.1 have to upgrade as soon as possible to v1.6.2. There are no known workarounds for this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
flarum/corePackagist	>= 1.5.0, < 1.6.2	1.6.2

Affected products

Flarum/Frameworkv5
Range: >= 1.5.0, < 1.6.2

Patches

690de9ce0ffe

fix: evaluated page title content (#3684)

https://github.com/flarum/frameworkSami MazouzNov 18, 2022via ghsa

commit

2 files changed · +12 −6

framework/core/js/src/common/Application.tsx+11 −5 modified

@@ -410,16 +410,22 @@ export default class Application {
       pageNumber: 1,
     };
 
-    const title =
+    let title =
       onHomepage || !this.title
         ? extractText(app.translator.trans('core.lib.meta_titles.without_page_title', params))
         : extractText(app.translator.trans('core.lib.meta_titles.with_page_title', params));
 
-    const tempEl = document.createElement('div');
-    tempEl.innerHTML = title;
-    const decodedTitle = tempEl.innerText;
+    title = count + title;
 
-    document.title = count + decodedTitle;
+    // We pass the title through a DOMParser to allow HTML entities
+    // to be rendered correctly, while still preventing XSS attacks
+    // from user input by using a script-disabled environment.
+    // https://github.com/flarum/framework/issues/3514
+    // https://github.com/flarum/framework/pull/3684
+    const parser = new DOMParser();
+    const safeTitle = parser.parseFromString(title, 'text/html').body.innerHTML;
+
+    document.title = safeTitle;
   }
 
   protected transformRequestOptions<ResponseType>(flarumOptions: FlarumRequestOptions<ResponseType>): InternalFlarumRequestOptions<ResponseType> {

framework/core/views/frontend/app.blade.php+1 −1 modified

@@ -3,7 +3,7 @@
       @if ($language) lang="{{ $language }}" @endif>
     <head>
         <meta charset="utf-8">
-        <title>{!! $title !!}</title>
+        <title>{{ $title }}</title>
 
         {!! $head !!}
     </head>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7x4w-j98p-854xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-41938ghsaADVISORY
discuss.flarum.org/d/27558ghsaWEB
github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138ghsaWEB
github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854xghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000