CVE-2026-30913: Link Injection and Content Spoofing in Flarum Nicknames Extension
Vulnerability ID: CVE-2026-30913
CVSS Score: 4.6
Published: 2026-03-10
The flarum/nicknames extension for Flarum prior to version 1.8.3 fails to sanitize user display names before including them in outbound notification emails. This allows registered users to construct nicknames that email clients interpret as hyperlinked domains or Markdown links, facilitating targeted phishing and content spoofing attacks against forum users.
TL;DR
Flarum's nicknames extension < 1.8.3 allows authenticated users to inject malicious links into plain-text notification emails via crafted display names, creating a phishing vector. The issue is patched in version 1.8.3 by implementing robust input validation and zero-width space rendering mitigations.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 4.6
- Privileges Required: Low
- User Interaction: Required
- Exploit Status: PoC Available
Affected Systems
- Flarum Forum Software
- flarum/nicknames extension
-
flarum/nicknames: < 1.8.3 (Fixed in:
1.8.3)
Code Analysis
Commit: 4dde997
Fix nickname display name injection in email templates
Mitigation Strategies
- Upgrade flarum/nicknames extension to version 1.8.3
- Audit existing Flarum database for suspicious nicknames
Remediation Steps:
- Identify the installed version of flarum/nicknames using composer
- Run 'composer require flarum/nicknames:^1.8.3' to apply the update
- Clear the Flarum cache using 'php flarum cache:clear'
- Query the database for nicknames containing suspicious characters or URLs to identify potential abuse
References
- GitHub Security Advisory GHSA-3c4m-j3g4-hh25
- Fix Commit 4dde99729abdce8f6e2a7437c86e38735fdcca28
- Patch Diff for Fix Commit
- Release v1.8.3
Read the full report for CVE-2026-30913 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)