CVE-2026-41887
Received Received - Intake
LESS Injection in Flarum Theme Settings

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41887
EUVD
EUVD-2026-28804
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
flarum flarum to 1.8.16|end_excluding=2.0.0-rc.1 (exc)
flarum flarum to 2.0.0-beta.8 (exc)
flarum flarum 1.8.16
flarum flarum 2.0.0-rc.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Flarum, an open-source forum software, in versions prior to 1.8.16 and 2.0.0-rc.1. It arises because certain settings registered as LESS configuration variables (such as theme_primary_color and theme_secondary_color) are not properly restricted. These settings are directly interpolated into the LESS source code at compile time without sanitization, allowing an authenticated administrator to inject arbitrary @import directives into the compiled CSS.

Because the LESS parser processes these @import directives, an attacker can exploit this to perform local file inclusion (reading arbitrary files accessible by the PHP process) or trigger outbound HTTP(S) requests (server-side request forgery). This means an attacker with administrator access can manipulate the forum's CSS compilation to execute these attacks.

Impact Analysis

The vulnerability can lead to local file inclusion, allowing an attacker to read sensitive files on the server that the PHP process can access. Additionally, it can be used to perform server-side request forgery (SSRF), enabling the attacker to make unauthorized HTTP(S) requests from the server.

These impacts can compromise the confidentiality of sensitive data stored on the server and potentially allow further attacks or information gathering by the attacker. However, exploitation requires authenticated administrator access.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Flarum to version 1.8.16 or later, or to version 2.0.0-rc.1 or later, where the issue has been patched.

This patch restricts the use of @import and data-uri() LESS features in all LESS config variables, preventing arbitrary file inclusion or server-side request forgery via crafted theme color values.

Compliance Impact

The vulnerability allows an authenticated administrator to perform local file inclusion (LFI) and server-side request forgery (SSRF), potentially exposing sensitive files accessible by the PHP process or internal network services.

Such unauthorized access to sensitive data or internal resources could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls over personal and sensitive information.

Because the attacker can retrieve data by accessing a publicly served CSS file, this could result in data leakage or unauthorized disclosure, impacting compliance with confidentiality and data security requirements.

Therefore, organizations using vulnerable versions of Flarum may face increased risk of non-compliance with standards that mandate protection of sensitive data and internal systems.

Detection Guidance

This vulnerability can be detected by reviewing the compiled forum.css file served by the Flarum forum for any unexpected or suspicious @import directives that could indicate exploitation attempts.

Since the attack involves an authenticated administrator injecting arbitrary @import directives via LESS config variables such as theme_primary_color or theme_secondary_color, monitoring changes or unusual values in these settings can help detect exploitation.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.

Recommended detection steps include:

  • Manually inspect the forum.css file for unexpected @import statements that could indicate local file inclusion or SSRF attempts.
  • Audit administrator account activity and changes to LESS configuration variables, especially theme_primary_color and theme_secondary_color.
  • Restrict and monitor administrator access to prevent unauthorized theme configuration changes.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart