Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) — CVE-2026-41887
GitHub · GitHub · CVE-2026-41887
ID
CVE-2026-41887
CVE-2026-41887
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
4.9
4.9
EPSS
0.00011
0.00011
Summary
## Summary Flarum's patch for [CVE-2023-27577](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) restricted the `@import` and `data-uri()` LESS features in the `custom_less` setting, but the same restriction was never applied to other settings registered as LESS config variables (for example `theme_primary_color` and `theme_secondary_color`, as well as any key registered via…
Product
composer: flarum/core
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.