CVE-2026-30913

The CVE concerns Flarum with the nicknames extension enabled. A user’s nickname is inserted verbatim into plain‑text notification emails, allowing email clients to render it as a hyperlink. This can mislead recipients into visiting attacker‑controlled domains. The issue is tied to nickname handli...