CVE-2026-41887
LESS Injection in Flarum Theme Settings
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flarum | flarum | to 1.8.16|end_excluding=2.0.0-rc.1 (exc) |
| flarum | flarum | to 2.0.0-beta.8 (exc) |
| flarum | flarum | 1.8.16 |
| flarum | flarum | 2.0.0-rc.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Flarum, an open-source forum software, in versions prior to 1.8.16 and 2.0.0-rc.1. It arises because certain settings registered as LESS configuration variables (such as theme_primary_color and theme_secondary_color) are not properly restricted. These settings are directly interpolated into the LESS source code at compile time without sanitization, allowing an authenticated administrator to inject arbitrary @import directives into the compiled CSS.
Because the LESS parser processes these @import directives, an attacker can exploit this to perform local file inclusion (reading arbitrary files accessible by the PHP process) or trigger outbound HTTP(S) requests (server-side request forgery). This means an attacker with administrator access can manipulate the forum's CSS compilation to execute these attacks.
How can this vulnerability impact me? :
The vulnerability can lead to local file inclusion, allowing an attacker to read sensitive files on the server that the PHP process can access. Additionally, it can be used to perform server-side request forgery (SSRF), enabling the attacker to make unauthorized HTTP(S) requests from the server.
These impacts can compromise the confidentiality of sensitive data stored on the server and potentially allow further attacks or information gathering by the attacker. However, exploitation requires authenticated administrator access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Flarum to version 1.8.16 or later, or to version 2.0.0-rc.1 or later, where the issue has been patched.
This patch restricts the use of @import and data-uri() LESS features in all LESS config variables, preventing arbitrary file inclusion or server-side request forgery via crafted theme color values.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated administrator to perform local file inclusion (LFI) and server-side request forgery (SSRF), potentially exposing sensitive files accessible by the PHP process or internal network services.
Such unauthorized access to sensitive data or internal resources could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls over personal and sensitive information.
Because the attacker can retrieve data by accessing a publicly served CSS file, this could result in data leakage or unauthorized disclosure, impacting compliance with confidentiality and data security requirements.
Therefore, organizations using vulnerable versions of Flarum may face increased risk of non-compliance with standards that mandate protection of sensitive data and internal systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing the compiled forum.css file served by the Flarum forum for any unexpected or suspicious @import directives that could indicate exploitation attempts.
Since the attack involves an authenticated administrator injecting arbitrary @import directives via LESS config variables such as theme_primary_color or theme_secondary_color, monitoring changes or unusual values in these settings can help detect exploitation.
There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.
Recommended detection steps include:
- Manually inspect the forum.css file for unexpected @import statements that could indicate local file inclusion or SSRF attempts.
- Audit administrator account activity and changes to LESS configuration variables, especially theme_primary_color and theme_secondary_color.
- Restrict and monitor administrator access to prevent unauthorized theme configuration changes.