CVE-2026-30913: flarum/nicknames extension has display name injection in notification emails (autolink & markdown)

March 10, 2026

When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.

References

github.com/advisories/GHSA-3c4m-j3g4-hh25
github.com/flarum/framework
github.com/flarum/framework/security/advisories/GHSA-3c4m-j3g4-hh25
github.com/flarum/nicknames/commit/4dde99729abdce8f6e2a7437c86e38735fdcca28
github.com/flarum/nicknames/releases/tag/v1.8.3
nvd.nist.gov/vuln/detail/CVE-2026-30913

Code Behaviors & Features

Detect and mitigate CVE-2026-30913 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →