CVE-2026-30913 is a cross-site scripting vulnerability categorized under CWE-79 affecting the flarum/nicknames extension of the Flarum open-source forum software. The vulnerability arises because the extension allows registered users to set their nickname to arbitrary strings without proper sanitization or neutralization. Specifically, the nickname is inserted verbatim into plain-text notification emails generated by the forum software. Some email clients interpret certain strings as hyperlinks, which means an attacker can craft a nickname that appears as a malicious link in these emails. When recipients receive notification emails containing these malicious nicknames, they may be deceived into clicking links that lead to attacker-controlled domains, potentially resulting in phishing attacks or malware delivery. The vulnerability affects all versions of the nicknames extension prior to 1.8.3. Exploitation requires the attacker to have a registered user account and for the victim to receive and interact with the notification email. The CVSS v3.1 base score is 4.6, reflecting a medium severity level, with attack vector being network, low attack complexity, requiring privileges (registered user), and user interaction (clicking the link). The impact primarily affects confidentiality and integrity, with no direct availability impact. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risk of insufficient input neutralization in user-generated content that is propagated outside the web application context, in this case, email notifications.

The primary impact of this vulnerability is the potential for phishing and social engineering attacks via email notifications sent by Flarum forums using the vulnerable nicknames extension. Attackers can craft nicknames that appear as legitimate hyperlinks in plain-text emails, misleading recipients into visiting malicious websites. This can lead to credential theft, malware infections, or further compromise of user accounts. Organizations running vulnerable versions of Flarum risk exposing their users to targeted attacks, especially if users trust notification emails from the forum. While the vulnerability does not directly compromise the forum’s availability or server integrity, it undermines user trust and confidentiality. The requirement for attacker registration limits the attack surface somewhat, but many forums allow open registration, increasing risk. The impact is particularly significant for forums with large user bases or those used in sensitive or high-profile communities, where phishing can have serious consequences. Additionally, the vulnerability may facilitate lateral phishing campaigns if attackers leverage compromised accounts to target other users.

To mitigate this vulnerability, organizations should upgrade the flarum/nicknames extension to version 1.8.3 or later, where proper input neutralization has been implemented. If immediate upgrade is not possible, administrators should consider disabling the nicknames extension temporarily to prevent exploitation. Implementing server-side input validation and sanitization to strip or encode potentially dangerous characters in nicknames before insertion into emails is critical. Additionally, modifying the email notification templates to escape or remove user-generated content before inclusion can reduce risk. Email filtering solutions should be configured to detect and block suspicious hyperlinks in notification emails. User awareness training is important to educate recipients about the risks of clicking unexpected links in forum notifications. Monitoring forum registrations and nicknames for suspicious patterns can help detect attempts to exploit this vulnerability. Finally, applying strict access controls to limit who can register or change nicknames reduces the attack surface.