CVE-2025-27794
CVE-2025-27794 is a medium-severity vulnerability in Flarum with a CVSS 3.x base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-74.
Key facts
- Severity: Medium (CVSS 3.x base score 6.8)
- EPSS exploit prediction: 0% (37th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-7808
- Weakness: CWE-74
- Affected product: Flarum
- Published:
- Last modified:
Description
Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. Key Constraints are that the attacker must control any subdomain under the parent domain (e.g., `evil.host.com` or `x.y.host.com`), and the parent domain must not be on the Public Suffix List. Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. Version 1.8.10 contains a patch for the issue.
Frequently asked questions
- What is CVE-2025-27794?
- Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. Key Constraints are that the attacker must control any subdomain under the parent domain (e.g., `evil.host.com` or `x.y.host.com`), and the parent domain must not be on the Public Suffix List. Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. Version 1.8.10 contains a patch for the issue.
- How severe is CVE-2025-27794?
- CVE-2025-27794 has a CVSS 3.x base score of 6.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2025-27794 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (37th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-27794?
- CVE-2025-27794 affects Flarum. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-27794?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-27794 have an EU (EUVD) identifier?
- Yes. CVE-2025-27794 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-7808.
- When was CVE-2025-27794 published?
- CVE-2025-27794 was published on 2025-03-12 and last updated on 2026-06-17.
References
- https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402
- https://github.com/flarum/framework/releases/tag/v1.8.10
- https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px
Affected products (1)
- cpe:2.3:a:flarum:flarum:*:*:*:*:*:*:*:*
More vulnerabilities in Flarum
- CVE-2021-32671 — Critical (CVSS 10.0): Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be…
- CVE-2022-41938 — Critical (CVSS 9.0): Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into…
- CVE-2019-13183 — High (CVSS 8.8): Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.
- CVE-2023-22487 — High (CVSS 7.7): Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions…
- CVE-2019-11514 — High (CVSS 7.5): User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens.
- CVE-2023-40033 — High (CVSS 7.1): Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a…
Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities
- CVE-2026-25586 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…
- CVE-2026-25520 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped.…
- CVE-2025-20265 — Critical (CVSS 10.0): A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2025-20337 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-20281 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2024-42472 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious…
Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →