CVE-2026-41887
medium
CVSS v3
4.9
CVSS v4 NEW
โ
VIR risk
4.9
Description
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
Predictions
Exploit likelihood
59%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | flarum/core | >=2.0.0-beta.1,<=2.0.0-beta.8|<=1.8.15 | |
| Packagist | flarum/core | <1.8.16 | 1.8.16 |
| Packagist | flarum/core | >=2.0.0-beta.1,<2.0.0-rc.1 | 2.0.0-rc.1 |
| COMPOSER | flarum/core | >= 2.0.0-beta.1, <= 2.0.0-beta.8 | 2.0.0-rc.1 |
| COMPOSER | flarum/core | <= 1.8.15 | 1.8.16 |
References
- https://github.com/advisories/GHSA-xjvc-pw2r-6878
- https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410
- https://github.com/flarum/framework/releases/tag/v1.8.16
- https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1
- https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878
- https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw
- https://nvd.nist.gov/vuln/detail/CVE-2023-27577
- https://nvd.nist.gov/vuln/detail/CVE-2026-41887
- https://github.com/flarum/framework
CWEs
CWE-22 CWE-918
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.