Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

References
Link Providers
https://github.com/flarum/framework/security/advisories/GHSA-3c4m-j3g4-hh25 cve-icon
https://github.com/flarum/nicknames/commit/4dde99729abdce8f6e2a7437c86e38735fdcca28 cve-icon
https://github.com/flarum/nicknames/releases/tag/v1.8. cve-icon
History

Mon, 09 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.
Title flarum/nickname: Display name injection in notification emails (autolink & markdown)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-09T22:42:40.014Z

Updated: 2026-03-09T22:42:40.014Z

Reserved: 2026-03-07T16:40:05.883Z

Link: CVE-2026-30913

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.