CVE-2026-30913
Received Received - Intake
Hyperlink Injection via Nicknames in Flarum Email Notifications

Publication date: 2026-03-10

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30913
EUVD
EUVD-2026-10422
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
flarum flarum nicknames
flarum nicknames 1.8.3
flarum framework *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30913 is a display name injection vulnerability in the flarum/nicknames extension of the Flarum forum software. When enabled, registered users can set their nicknames to strings that email clients interpret as hyperlinks. These nicknames are inserted verbatim into plain-text notification emails, which can cause email clients to automatically convert them into clickable links.'}, {'type': 'paragraph', 'content': 'There are two main variants of this issue: (1) Domain Autolink Variant, where nicknames like "nasty.com" become clickable links in most email clients, and (2) Markdown Link Syntax Variant, where nicknames formatted as markdown links (e.g., [CLICK](https://evil.com)) are rendered as clickable links in email clients that auto-render markdown in plain-text emails.'}, {'type': 'paragraph', 'content': 'This vulnerability allows attackers to mislead email recipients into clicking malicious links that appear to come from trusted platform notifications, enabling phishing or social engineering attacks.'}] [1]

Impact Analysis

This vulnerability can impact you by enabling attackers to craft malicious nicknames that appear as clickable links in notification emails sent by the Flarum forum software. Recipients of these emails may be misled into visiting attacker-controlled domains.

Such misleading links can facilitate phishing attacks or social engineering, potentially leading to credential theft, malware installation, or other security breaches.

The vulnerability has a medium severity score (CVSS 4.6) and requires user interaction (clicking the link) to be exploited.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves maliciously crafted nicknames in the flarum/nicknames extension that are inserted verbatim into plain-text notification emails, potentially creating clickable links to attacker-controlled domains.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check if your Flarum installation uses the nicknames extension version prior to 1.8.3, as those versions are vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, you can audit user nicknames for suspicious patterns such as domain-like strings (e.g., "nasty.com") or markdown link syntax (e.g., "[CLICK](https://evil.com)").'}, {'type': 'list_item', 'content': 'Search the database for nicknames containing characters like [ ] ( ) < > or domain-like patterns.'}, {'type': 'list_item', 'content': "Example SQL command to find nicknames with markdown link characters: SELECT * FROM nicknames WHERE nickname REGEXP '[\\[\\]\\(\\)<>]';"}, {'type': 'list_item', 'content': "Example SQL command to find nicknames containing domain-like strings (e.g., containing a dot): SELECT * FROM nicknames WHERE nickname LIKE '%.%';"}, {'type': 'paragraph', 'content': 'Monitoring outgoing notification emails for unexpected hyperlinks or suspicious display names can also help detect exploitation attempts.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade the flarum/nicknames extension to version 1.8.3 or later, where the issue is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, apply the following mitigations:'}, {'type': 'list_item', 'content': 'Implement validation to reject nicknames containing characters that email clients interpret as URLs or markdown links, specifically disallowing [ ] ( ) < > characters.'}, {'type': 'list_item', 'content': 'Sanitize display names before inserting them into notification emails by stripping markdown/HTML link characters and inserting zero-width space characters after dots to break domain autolinking.'}, {'type': 'list_item', 'content': "Use or implement a sanitizing decorator or mailer wrapper similar to the 'SanitizedNotificationMailer' that overrides the default notification mailer to sanitize display names during email sending."}, {'type': 'paragraph', 'content': 'Additionally, inform users and administrators about the disallowed characters to prevent future injection vectors.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart