GHSA-3C4M-J3G4-HH25

Vulnerability from github – Published: 2026-03-10 00:56 – Updated: 2026-03-10 18:44
VLAI?
Summary
flarum/nicknames extension has display name injection in notification emails (autolink & markdown)
Details

Summary

When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.

Affected package

  • flarum/nicknames — permissive display name driver that allows special characters; affected since initial release on the 1.x branch

Any third-party display name driver that permits special characters would be equally affected.

Variants

  1. Domain autolink — a nickname such as nasty.com is automatically converted to a clickable hyperlink by virtually all email clients (Gmail, Outlook, Apple Mail, Thunderbird).
  2. Markdown link syntax — a nickname such as [CLICK](https://evil.com) is rendered as a clickable hyperlink by email clients that auto-render markdown in plain-text emails (e.g. Apple Mail, Thunderbird).

Steps to reproduce

Variant 1 (autolink — affects all email clients) 1. Enable flarum/nicknames, set nickname to nasty.com 2. Trigger a notification email to another user (e.g. follow them, mention them) 3. The nickname appears as a clickable link in the received email

Variant 2 (markdown — affects markdown-rendering email clients) 1. Enable flarum/nicknames, set nickname to [CLICK](https://evil.com) 2. Trigger a notification email to another user 3. In a markdown-rendering email client (e.g. Apple Mail), the nickname appears as a clickable link

Impact

Phishing / social engineering: victims may be misled into visiting attacker-controlled URLs via links appearing to originate from a trusted platform notification email. Variant 1 is exploitable against virtually all email clients without any special conditions.

  • CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N4.6 Medium

Root cause

The default username-based display name driver constrains values to [a-zA-Z0-9_-]+, making it immune. flarum/nicknames introduced permissive validation (min/max length and an optional admin-configured regex) that allows arbitrary characters including those meaningful in URL and markdown contexts. This has been the case since the first commit of the extension.

Proposed fix

  • Add validation in flarum/nicknames to reject or sanitize nicknames containing characters that email clients may interpret as URLs or markdown links
  • Alternatively, sanitize the display name before insertion into notification email bodies so that legitimate nicknames like Jane.Smith are preserved but rendered safely

References

  • Bug bounty submission: SBB-L4ZVAFH8 (Intigriti)
Severity ?
4.6 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "flarum/nicknames"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T00:56:30Z",
    "nvd_published_at": "2026-03-10T17:40:15Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nWhen the `flarum/nicknames` extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.\n\n## Affected package\n\n- **`flarum/nicknames`** \u2014 permissive display name driver that allows special characters; affected since initial release on the `1.x` branch\n\nAny third-party display name driver that permits special characters would be equally affected.\n\n## Variants\n\n1. **Domain autolink** \u2014 a nickname such as `nasty.com` is automatically converted to a clickable hyperlink by virtually all email clients (Gmail, Outlook, Apple Mail, Thunderbird).\n2. **Markdown link syntax** \u2014 a nickname such as `[CLICK](https://evil.com)` is rendered as a clickable hyperlink by email clients that auto-render markdown in plain-text emails (e.g. Apple Mail, Thunderbird).\n\n## Steps to reproduce\n\n**Variant 1 (autolink \u2014 affects all email clients)**\n1. Enable `flarum/nicknames`, set nickname to `nasty.com`\n2. Trigger a notification email to another user (e.g. follow them, mention them)\n3. The nickname appears as a clickable link in the received email\n\n**Variant 2 (markdown \u2014 affects markdown-rendering email clients)**\n1. Enable `flarum/nicknames`, set nickname to `[CLICK](https://evil.com)`\n2. Trigger a notification email to another user\n3. In a markdown-rendering email client (e.g. Apple Mail), the nickname appears as a clickable link\n\n## Impact\n\nPhishing / social engineering: victims may be misled into visiting attacker-controlled URLs via links appearing to originate from a trusted platform notification email. Variant 1 is exploitable against virtually all email clients without any special conditions.\n\n- CVSS v3.1: `AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N` \u2014 **4.6 Medium**\n\n## Root cause\n\nThe default username-based display name driver constrains values to `[a-zA-Z0-9_-]+`, making it immune. `flarum/nicknames` introduced permissive validation (min/max length and an optional admin-configured regex) that allows arbitrary characters including those meaningful in URL and markdown contexts. This has been the case since the first commit of the extension.\n\n## Proposed fix\n\n- Add validation in `flarum/nicknames` to reject or sanitize nicknames containing characters that email clients may interpret as URLs or markdown links\n- Alternatively, sanitize the display name before insertion into notification email bodies so that legitimate nicknames like `Jane.Smith` are preserved but rendered safely\n\n## References\n\n- Bug bounty submission: SBB-L4ZVAFH8 (Intigriti)",
  "id": "GHSA-3c4m-j3g4-hh25",
  "modified": "2026-03-10T18:44:19Z",
  "published": "2026-03-10T00:56:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/security/advisories/GHSA-3c4m-j3g4-hh25"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30913"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/nicknames/commit/4dde99729abdce8f6e2a7437c86e38735fdcca28"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flarum/framework"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/nicknames/releases/tag/v1.8."
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/nicknames/releases/tag/v1.8.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "flarum/nicknames extension has display name injection in notification emails (autolink \u0026 markdown)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.