[MEDIUM] Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)

PKSA-4s1v-jz1f-4jpx CVE-2026-41887 GHSA-xjvc-pw2r-6878

Affected version: >=2.0.0-beta.1,<=2.0.0-beta.8|<=1.8.15

Reported by:
GitHub

[MEDIUM] Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite

PKSA-wm5r-h6h3-m2pf CVE-2025-27794 GHSA-hg9j-64wp-m9px

Affected version: <1.8.10

Reported by:
GitHub