Main Vulnerability Database Vulnerabilities #VU126537

Path traversal in Flarum - #VU126537

Published: April 20, 2026

Vulnerability identifier: #VU126537

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Flarum

Affected software:
Flarum

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the LESS parser when compiling LESS config variables from theme color settings. A remote privileged user can submit a specially crafted setting value to disclose sensitive information.

The contents of an imported resource are embedded into the compiled forum.css, which is publicly served.

Remediation

Install security update from vendor's website.

Sources

https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878

Path traversal in Flarum - #VU126537

Detailed vulnerability description

Remediation

Sources

Please verify you're human