CVE-2026-48780 | THREATINT

Description

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of `a2ab6d4`. As a workaround, some SMTP servers and email delivery providers may drop or refuse to send maliciously crafted email addresses.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-16 | Updated 2026-06-17 | Assigner GitHub_M

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-287: Improper Authentication

Product status

< a2ab6d4

affected

References

github.com/.../forem/security/advisories/GHSA-3g4h-9h37-mpx6

github.com/...ommit/a2ab6d409d2676eb0711ecbd737192043125b437

cve.org (CVE-2026-48780)

nvd.nist.gov (CVE-2026-48780)

Download JSON