flarum/sticky is vulnerable to cross-site scripting. An attacker with the ability to pin their own discussion, or be able to edit a discussion that was previously pinned is able to inject and execute an arbitrary script via Mithril’s m.trust() helper while the extension is enabled.
discuss.flarum.org/d/26042-security-update-to-flarum-sticky-010-beta151)
github.com/advisories/GHSA-h3gg-7wx2-cq3h
github.com/flarum/sticky/commit/7ebd30462bd405c4c0570b93a6d48710e6c3db19
github.com/flarum/sticky/commit/fc995b88aecb6095f77cf01a899a9cfe23145a30
github.com/flarum/sticky/pull/24
github.com/flarum/sticky/security/advisories/GHSA-h3gg-7wx2-cq3h