CVE Catalog

CVE-2026-48780

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments.

Risk Assessment

Organizations may be exposed to unauthorized access to their Forem deployments, potentially leading to data leaks or breaches of user privacy.

Recommendation

It is recommended to update the software to the version containing the a2ab6d4 patch and consider implementing additional security measures at the SMTP server level.

Original NVD description (English source)

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of `a2ab6d4`. As a workaround, some SMTP servers and email delivery providers may drop or refuse to send maliciously crafted email addresses.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS