CVE-2026-48780 | Forem is open source software for building communities. Prio… | CVSS 8.2 HIGH

Description

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of `a2ab6d4`. As a workaround, some SMTP servers and email delivery providers may drop or refuse to send maliciously crafted email addresses.

Metadata

CVE ID: CVE-2026-48780
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-22 20:18 UTC
Published: 2026-06-16 14:10 UTC
Last updated: 2026-06-17 13:49 UTC
Primary CWE: CWE-287
CWE-287: Improper Authentication
Vendor / Product: forem / forem
Sources: cve.org · NVD

Severity & Metrics

8.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
forem	forem	—	< a2ab6d4

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287: Improper Authentication

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References (2)

https://github.com/forem/forem/security/advisories/GHSA-3g4h-9h37-mpx6 https://github.com/forem/forem/security/advisories/GHSA-3g4h-9h37-mpx6
https://github.com/forem/forem/commit/a2ab6d409d2676eb0711ecbd737192043125b437 https://github.com/forem/forem/commit/a2ab6d409d2676eb0711ecbd737192043125b437