flarum/core Security Advisories for v1.5.0 (7)
-
[MEDIUM] Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
PKSA-wm5r-h6h3-m2pf CVE-2025-27794 GHSA-hg9j-64wp-m9px
Affected version: <1.8.10
Reported by:
GitHub -
[MEDIUM] Flarum's logout Route allows open redirects
PKSA-t2c9-4b54-wr9g CVE-2024-21641 GHSA-733r-8xcp-w9mr
Affected version: <1.8.5
Reported by:
GitHub -
[HIGH] Flarum vulnerable to LFI and Blind SSRF via Avatar upload
PKSA-gy61-rznj-1v67 CVE-2023-40033 GHSA-67c6-q4j4-hccg
Affected version: <1.8.0
Reported by:
GitHub -
[MEDIUM] Path Traversal Vulnerability in `LESS` Parser allows reading of sensitive server files
PKSA-vdnx-r1qz-p9z5 CVE-2023-27577 GHSA-vhm8-wwrf-3gcw
Affected version: <1.7.0
Reported by:
GitHub -
[LOW] Any Flarum user including unactivated can reply in public discussions whose first post was permanently deleted
PKSA-gpsv-mz61-p6f9 CVE-2023-22489 GHSA-hph3-hv3c-7725
Affected version: >=1.3.0,<1.6.3
Reported by:
GitHub -
[MEDIUM] Flarum notifications can leak restricted content
PKSA-c9jx-2v6m-svqv CVE-2023-22488 GHSA-8gcg-vwmw-rxj4
Affected version: <1.6.3
Reported by:
GitHub -
[CRITICAL] Cross site scripting vulnerability with discussion titles
PKSA-rwhf-8kmk-djrd CVE-2022-41938 GHSA-7x4w-j98p-854x
Affected version: >=1.5.0,<1.6.2
Reported by:
GitHub