Main Vulnerability Database SB2026042066

SB2026042066 - Path traversal in Flarum

Published: April 20, 2026

Security Bulletin ID SB2026042066

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the LESS parser when compiling LESS config variables from theme color settings. A remote privileged user can submit a specially crafted setting value to disclose sensitive information.

The contents of an imported resource are embedded into the compiled forum.css, which is publicly served.

Remediation

Install update from vendor's website.

References

https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878