Description
Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.
Published: 2026-05-08
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the LESS parser allows an authenticated administrator to inject an @import directive through the theme_primary_color, theme_secondary_color, or other LESS‑config variables. The injected import is processed by the parser, enabling the attacker to read arbitrary files reachable by the PHP process (local file inclusion) or to initiate outbound HTTP(S) requests (server‑side request forgery). This exposes sensitive configuration files and other data to a privileged attacker and creates a vector for data exfiltration or further compromise.

Affected Systems

All Flarum 1.x installations older than 1.8.16, and all 2.x releases older than 2.0.0‑rc.1, are affected. The vulnerability also applies to any extensions that register LESS configuration variables via Extend\Settings::registerLessConfigVar(), as these variables are not subjected to the same import restriction.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity; the vulnerability requires authenticated administrator privileges but imposes no network‑level constraints. EPSS information is unavailable, and the flaw is not listed in CISA’s KEV catalog. Because the attack requires modifying a theme‑color setting, it is likely limited to administrators or privileged users who have access to the Flarum backend. The attack vector, while internal, can still facilitate data theft or pivot to other services by leveraging LFI or SSRF.

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Flarum 1.8.16 or later (or 2.0.0‑rc.1 or later) to receive the patch that applies the import restriction to all LESS‑config variables
  • If an upgrade cannot be performed immediately, audit all extensions that register LESS configuration variables and either remove the affected variables or modify them so that their values cannot contain an @import directive
  • Implement least‑privilege permissions for the PHP process and the web server to restrict which files can be read, thereby limiting the impact of any successful LFI or SSRF

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xjvc-pw2r-6878 Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
History

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.
Title Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
Weaknesses CWE-22
CWE-918
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:26:53.642Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41887

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T17:16:30.890

Modified: 2026-05-08T17:16:30.890

Link: CVE-2026-41887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T17:45:13Z

Weaknesses