Flarum, Input Validation Vulnerability, CVE-2026-30913 (Medium)

Listen to this Post

The CVE-2026-30913 vulnerability resides in the `flarum/nicknames` extension for the Flarum forum software . When enabled, this extension allows registered users to set a nickname without properly sanitizing special characters. A malicious user can set their nickname to a string that email clients interpret as a hyperlink, such as `nasty.com` or markdown link syntax `[CLICK](https://evil.com)` . The extension’s permissive validation, which only enforces min/max length and an optional admin regex, fails to block these malicious inputs . When the system generates plain-text notification emails (like follow or mention notifications), the unsanitized nickname is inserted verbatim into the email body . Upon receipt, email clients automatically convert these strings into clickable hyperlinks—domain names become autolinks in virtually all clients (Gmail, Outlook, Apple Mail, Thunderbird), while markdown syntax renders as formatted links in clients like Apple Mail . Recipients, trusting the email appears to come from the legitimate Flarum platform, may be deceived into clicking these attacker-controlled URLs, leading to phishing or social engineering attacks . The root cause is the contrast between the core username driver (restricted to [a-zA-Z0-9_-]+) and the nickname extension’s permissive approach since its initial commit on the 1.x branch . Any third-party display name driver allowing special characters would be equally affected .

dailycve form:

Platform: Flarum extension
Version: 1.x branch
Vulnerability: Phishing via nickname
Severity: Medium (4.6)
date: 2026-03-09

Prediction: Patch within 30d

What Undercode Say:

Analytics

The vulnerability exploits trust in platform notifications. CVSS: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N . Affects all email clients via autolink variant; markdown-rendering clients additionally impacted .

Bash Commands & Configuration

Check if flarum/nicknames is installed
composer show | grep flarum/nicknames
Disable the extension immediately (workaround)
php flarum extension disable flarum-nicknames
Update Flarum core and extensions
composer update flarum/core --with-dependencies
Verify current validation regex in configuration
php flarum info | grep -A 5 "nicknames"
Manual database check for suspicious nicknames
mysql -u root -p flarum_db -e "SELECT user_id, nickname FROM users WHERE nickname REGEXP '(http|.com|[.](.))';"
Apply custom validation via extension settings (if patch available)
php flarum config set flarum-nicknames.regex '/^[a-zA-Z0-9_-]+$/'
Clear cache after changes
php flarum cache:clear

How Exploit:

1. Attacker registers on Flarum forum

  1. Enables nickname feature, sets nickname to `evil.com` or `[Click here](https://evil.com)`

3. Triggers notification (mentions victim, follows them, etc.)

4. Victim receives plain-text email with clickable link

5. Victim clicks, lands on attacker-controlled site

Protection from this CVE:

  • Disable `flarum/nicknames` extension until patch applied
  • Implement strict regex validation: `^[a-zA-Z0-9_-]+$`
    – Sanitize nicknames before email insertion
  • Use HTML emails with proper escaping instead of plain-text
  • Educate users about suspicious links in notifications
  • Monitor for nickname patterns containing URLs or markdown

Impact:

Medium severity (4.6 CVSS). Enables phishing attacks via trusted platform emails. All email clients vulnerable to autolink variant; markdown clients additionally at risk. Undermines user trust in notification security. Requires user interaction but low complexity to execute.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top