CVE-2026-30913
Hyperlink Injection via Nicknames in Flarum Email Notifications
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flarum | flarum | nicknames |
| flarum | nicknames | 1.8.3 |
| flarum | framework | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30913 is a display name injection vulnerability in the flarum/nicknames extension of the Flarum forum software. When enabled, registered users can set their nicknames to strings that email clients interpret as hyperlinks. These nicknames are inserted verbatim into plain-text notification emails, which can cause email clients to automatically convert them into clickable links.'}, {'type': 'paragraph', 'content': 'There are two main variants of this issue: (1) Domain Autolink Variant, where nicknames like "nasty.com" become clickable links in most email clients, and (2) Markdown Link Syntax Variant, where nicknames formatted as markdown links (e.g., [CLICK](https://evil.com)) are rendered as clickable links in email clients that auto-render markdown in plain-text emails.'}, {'type': 'paragraph', 'content': 'This vulnerability allows attackers to mislead email recipients into clicking malicious links that appear to come from trusted platform notifications, enabling phishing or social engineering attacks.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by enabling attackers to craft malicious nicknames that appear as clickable links in notification emails sent by the Flarum forum software. Recipients of these emails may be misled into visiting attacker-controlled domains.
Such misleading links can facilitate phishing attacks or social engineering, potentially leading to credential theft, malware installation, or other security breaches.
The vulnerability has a medium severity score (CVSS 4.6) and requires user interaction (clicking the link) to be exploited.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves maliciously crafted nicknames in the flarum/nicknames extension that are inserted verbatim into plain-text notification emails, potentially creating clickable links to attacker-controlled domains.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check if your Flarum installation uses the nicknames extension version prior to 1.8.3, as those versions are vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, you can audit user nicknames for suspicious patterns such as domain-like strings (e.g., "nasty.com") or markdown link syntax (e.g., "[CLICK](https://evil.com)").'}, {'type': 'list_item', 'content': 'Search the database for nicknames containing characters like [ ] ( ) < > or domain-like patterns.'}, {'type': 'list_item', 'content': "Example SQL command to find nicknames with markdown link characters: SELECT * FROM nicknames WHERE nickname REGEXP '[\\[\\]\\(\\)<>]';"}, {'type': 'list_item', 'content': "Example SQL command to find nicknames containing domain-like strings (e.g., containing a dot): SELECT * FROM nicknames WHERE nickname LIKE '%.%';"}, {'type': 'paragraph', 'content': 'Monitoring outgoing notification emails for unexpected hyperlinks or suspicious display names can also help detect exploitation attempts.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade the flarum/nicknames extension to version 1.8.3 or later, where the issue is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, apply the following mitigations:'}, {'type': 'list_item', 'content': 'Implement validation to reject nicknames containing characters that email clients interpret as URLs or markdown links, specifically disallowing [ ] ( ) < > characters.'}, {'type': 'list_item', 'content': 'Sanitize display names before inserting them into notification emails by stripping markdown/HTML link characters and inserting zero-width space characters after dots to break domain autolinking.'}, {'type': 'list_item', 'content': "Use or implement a sanitizing decorator or mailer wrapper similar to the 'SanitizedNotificationMailer' that overrides the default notification mailer to sanitize display names during email sending."}, {'type': 'paragraph', 'content': 'Additionally, inform users and administrators about the disallowed characters to prevent future injection vectors.'}] [1, 2]