Packagist (Composer) package
flarum/framework
pkg:composer/flarum/framework
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-27794 | — | < 1.8.10 | 1.8.10 | Mar 12, 2025 | Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows se | ||
| CVE-2024-21641 | — | < 1.8.5 | 1.8.5 | Jan 5, 2024 | Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the | ||
| CVE-2023-40033 | — | < 1.8.0 | 1.8.0 | Aug 16, 2023 | Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containi | ||
| CVE-2018-19133 | — | <= 0.1.0-beta.7.1 | — | Nov 9, 2018 | In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address. |
- CVE-2025-27794Mar 12, 2025affected < 1.8.10fixed 1.8.10
Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows se
- CVE-2024-21641Jan 5, 2024affected < 1.8.5fixed 1.8.5
Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the
- CVE-2023-40033Aug 16, 2023affected < 1.8.0fixed 1.8.0
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containi
- CVE-2018-19133Nov 9, 2018affected <= 0.1.0-beta.7.1
In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address.