CVE-2026-41887: Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
(updated )
Flarum’s patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()).
Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery).
References
- github.com/advisories/GHSA-xjvc-pw2r-6878
- github.com/flarum/framework
- github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410
- github.com/flarum/framework/releases/tag/v1.8.16
- github.com/flarum/framework/releases/tag/v2.0.0-rc.1
- github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw
- github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878
- nvd.nist.gov/vuln/detail/CVE-2023-27577
- nvd.nist.gov/vuln/detail/CVE-2026-41887
Code Behaviors & Features
Detect and mitigate CVE-2026-41887 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →