Flarum Framework
9 CVEs affecting Flarum Framework. Latest disclosed: 2026-05-08. Critical: 1, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-41938 | Critical | 9.0 | 2022-11-19 | Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered… |
CVE-2023-22487 | High | 7.7 | 2023-01-11 | Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the… |
CVE-2023-40033 | High | 7.1 | 2023-08-16 | Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) at… |
CVE-2025-27794 | Medium | 6.8 | 2025-03-12 | Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain… |
CVE-2023-22488 | Medium | 6.8 | 2023-01-12 | Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that wou… |
CVE-2023-27577 | Medium | 6.6 | 2023-03-10 | flarum is a forum software package for building communities. In versions prior to 1.7.0 an admin account which has already been compromised by an attacker may… |
CVE-2024-21641 | Medium | 6.5 | 2024-01-05 | Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third part… |
CVE-2026-41887 | Medium | 4.9 | 2026-05-08 | Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS fea… |
CVE-2023-22489 | Low | 3.5 | 2023-01-13 | Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view… |