CVE-2022-41938

Name: CVE-2022-41938
Creator: NVD / NIST
Published: 2022-11-19T01:15:10.383+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.4/10EPSS 0.68%

Last modified Jun 17, 2026

CVE-2022-41938 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. EPSS estimates a 0.68% chance of exploitation in the next 30 days.

Description

Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. All communities running Flarum from `v1.5.0` to `v1.6.1` are impacted. The vulnerability has been fixed and published as flarum/core `v1.6.2`. All communities running Flarum from `v1.5.0` to `v1.6.1` have to upgrade as soon as possible to v1.6.2. There are no known workarounds for this issue.

Metrics

CVSS 3.1

5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.68%

47.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Flarum	Flarum	>= 1.5.0, < 1.6.2

References

https://discuss.flarum.org/d/27558Vendor Advisory
https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138Patch, Third Party Advisory
https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854xThird Party Advisory
https://discuss.flarum.org/d/27558Vendor Advisory
https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138Patch, Third Party Advisory
https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854xThird Party Advisory

Timeline

Published: Nov 19, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-41938?

How severe is CVE-2022-41938?

CVE-2022-41938 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.68% probability of exploitation in the next 30 days.

How do I fix CVE-2022-41938?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-41938?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST