SCA: security update for flarum/core (GHSA-xjvc-pw2r-6878)

medium Tenable Self-Hosted Container Security Plugin ID 440768

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for
CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the
same restriction was never applied to other settings registered as LESS config variables (for example
theme_primary_color and theme_secondary_color, as well as any key registered via
Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at
compile time, allowing an authenticated administrator to craft a theme-color value that injects an
arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours
@import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file
inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched
in versions 1.8.16 and 2.0.0-rc.1. (CVE-2026-41887)

Solution

Update the flarum/core library and its related packages to version 1.8.16 or later.

See Also

https://github.com/advisories/GHSA-xjvc-pw2r-6878

Plugin Details

Severity: Medium

ID: 440768

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 4/23/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.66

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:N

CVSS Score Source: CVE-2026-41887

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/22/2026

Vulnerability Publication Date: 4/22/2026

Reference Information

CVE: CVE-2026-41887