CVE-2026-27166

Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2. To workaround this issue, remove Codepen from the list of allowed iframes.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/discourse/discourse/commit/c4762a4fac2f61f52f325396b11d3aeb955ea925	Patch
https://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

History

25 Mar 2026, 01:06

Type	Values Removed	Values Added
CPE		cpe:2.3:a:discourse:discourse:2026.3.0::::latest::: cpe:2.3:a:discourse:discourse::::::::
First Time		Discourse Discourse discourse
Summary		(es) Discourse es una plataforma de discusión de código abierto. Antes de las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2, una limpieza insuficiente en el valor predeterminado de iframes permitidos de Codepen permite a un atacante engañar a un usuario para que cambie la URL de la página principal. Este problema ha sido solucionado en las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2. Como solución alternativa a este problema, elimine Codepen de la lista de iframes permitidos.
References	~~() https://github.com/discourse/discourse/commit/c4762a4fac2f61f52f325396b11d3aeb955ea925 -~~	() https://github.com/discourse/discourse/commit/c4762a4fac2f61f52f325396b11d3aeb955ea925 - Patch
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2 -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2 - Vendor Advisory

19 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 21:17

Updated : 2026-03-25 01:06

NVD link : CVE-2026-27166

Mitre link : CVE-2026-27166

CVE.ORG link : CVE-2026-27166

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

4.1 /10