Cross-site scripting in Flarum - CVE-2021-32671

 

Cross-site scripting in Flarum - CVE-2021-32671

Published: June 6, 2021 / Updated: April 20, 2026


Vulnerability identifier: #VU126532
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2021-32671
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Flarum
Affected software:
Flarum

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to cross-site scripting in the translation system when rendering user-supplied input as HTML DOM nodes. A remote attacker can submit malicious HTML markup to execute arbitrary script code in a victim's browser.

The issue can be triggered through certain user input fields, including the forum search box, and may allow actions to be performed on behalf of the victim.


How to mitigate CVE-2021-32671

Install security update from vendor's website.

Sources