Listen to this Post
The CVE-2026-30913 vulnerability resides in the `flarum/nicknames` extension for the Flarum forum software . When enabled, this extension allows registered users to set a nickname without properly sanitizing special characters. A malicious user can set their nickname to a string that email clients interpret as a hyperlink, such as `nasty.com` or markdown link syntax `[CLICK](https://evil.com)` . The extension’s permissive validation, which only enforces min/max length and an optional admin regex, fails to block these malicious inputs . When the system generates plain-text notification emails (like follow or mention notifications), the unsanitized nickname is inserted verbatim into the email body . Upon receipt, email clients automatically convert these strings into clickable hyperlinks—domain names become autolinks in virtually all clients (Gmail, Outlook, Apple Mail, Thunderbird), while markdown syntax renders as formatted links in clients like Apple Mail . Recipients, trusting the email appears to come from the legitimate Flarum platform, may be deceived into clicking these attacker-controlled URLs, leading to phishing or social engineering attacks . The root cause is the contrast between the core username driver (restricted to [a-zA-Z0-9_-]+) and the nickname extension’s permissive approach since its initial commit on the 1.x branch . Any third-party display name driver allowing special characters would be equally affected .
dailycve form:
Platform: Flarum extension
Version: 1.x branch
Vulnerability: Phishing via nickname
Severity: Medium (4.6)
date: 2026-03-09
Prediction: Patch within 30d
What Undercode Say:
Analytics
The vulnerability exploits trust in platform notifications. CVSS: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N . Affects all email clients via autolink variant; markdown-rendering clients additionally impacted .
Bash Commands & Configuration
Check if flarum/nicknames is installed composer show | grep flarum/nicknames Disable the extension immediately (workaround) php flarum extension disable flarum-nicknames Update Flarum core and extensions composer update flarum/core --with-dependencies Verify current validation regex in configuration php flarum info | grep -A 5 "nicknames" Manual database check for suspicious nicknames mysql -u root -p flarum_db -e "SELECT user_id, nickname FROM users WHERE nickname REGEXP '(http|.com|[.](.))';" Apply custom validation via extension settings (if patch available) php flarum config set flarum-nicknames.regex '/^[a-zA-Z0-9_-]+$/' Clear cache after changes php flarum cache:clear
How Exploit:
1. Attacker registers on Flarum forum
- Enables nickname feature, sets nickname to `evil.com` or `[Click here](https://evil.com)`
3. Triggers notification (mentions victim, follows them, etc.)
4. Victim receives plain-text email with clickable link
5. Victim clicks, lands on attacker-controlled site
Protection from this CVE:
- Disable `flarum/nicknames` extension until patch applied
- Implement strict regex validation: `^[a-zA-Z0-9_-]+$`
– Sanitize nicknames before email insertion - Use HTML emails with proper escaping instead of plain-text
- Educate users about suspicious links in notifications
- Monitor for nickname patterns containing URLs or markdown
Impact:
Medium severity (4.6 CVSS). Enables phishing attacks via trusted platform emails. All email clients vulnerable to autolink variant; markdown clients additionally at risk. Undermines user trust in notification security. Requires user interaction but low complexity to execute.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

