[MEDIUM] flarum/nicknames extension has display name injection in notification emails (autolink & markdown)

PKSA-661s-dgrr-6b19 CVE-2026-30913 GHSA-3c4m-j3g4-hh25

Affected package: flarum/nicknames

Affected version: <1.8.3

Reported by:
GitHub