CVE-2026-48780
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments.
Risk Assessment
Organizations may be exposed to unauthorized access to their Forem deployments, potentially leading to data leaks or breaches of user privacy.
Recommendation
It is recommended to update the software to the version containing the a2ab6d4 patch and consider implementing additional security measures at the SMTP server level.
Original NVD description (English source)
Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of `a2ab6d4`. As a workaround, some SMTP servers and email delivery providers may drop or refuse to send maliciously crafted email addresses.

