CVE-2026-41887

Name of the Vulnerable Software and Affected Versions Flarum versions prior to 1.8.16 Flarum versions prior to 2.0.0-rc.1

Description An authenticated administrator can inject an arbitrary @import directive into the compiled forum.css file. This occurs because settings registered as LESS config variables, such as theme primary color, theme secondary color, and any key registered via ExtendSettings::registerLessConfigVar(), are interpolated verbatim into the LESS source at compile time without proper restriction of @import and data-uri() features. This allows an attacker to perform local file inclusion by reading arbitrary files reachable by the PHP process or trigger server-side request forgery (SSRF) by initiating outbound HTTP(S) requests. The extracted content is then embedded into the publicly served forum.css file. This issue can be exploited via the '/api/settings' endpoint.

Recommendations Update to version 1.8.16 for the 1.x branch. Update to version 2.0.0-rc.1 for the 2.x branch. Ensure administrator accounts are protected with strong, unique passwords and two-factor authentication. Restrict administrator access to trusted users only.