Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Flarum |
|
No data.
No data.
References
History
Tue, 10 Mar 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 10 Mar 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Flarum
Flarum nicknames |
|
| Vendors & Products |
Flarum
Flarum nicknames |
Mon, 09 Mar 2026 23:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains. | |
| Title | flarum/nickname: Display name injection in notification emails (autolink & markdown) | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-03-09T22:42:40.014Z
Updated: 2026-03-10T14:17:30.046Z
Reserved: 2026-03-07T16:40:05.883Z
Link: CVE-2026-30913
Vulnrichment
Updated: 2026-03-10T14:17:20.336Z
NVD
Status : Received
Published: 2026-03-10T17:40:15.210
Modified: 2026-03-10T17:40:15.210
Link: CVE-2026-30913
Redhat
No data.