CVE-2026-41887
Description
Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flarum/corePackagist | < 1.8.16 | 1.8.16 |
flarum/corePackagist | >= 2.0.0-beta.1, < 2.0.0-rc.1 | 2.0.0-rc.1 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-xjvc-pw2r-6878ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-27577ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41887ghsaADVISORY
- github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410nvdWEB
- github.com/flarum/framework/releases/tag/v1.8.16nvdWEB
- github.com/flarum/framework/releases/tag/v2.0.0-rc.1nvdWEB
- github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcwghsaWEB
- github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878nvdWEB
News mentions
0No linked articles in our index yet.