CVE-2026-27570

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, tighten access by changing the `ai_bot_public_sharing_allowed_groups` site setting.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/discourse/discourse/commit/43a5a60b595f0120e6adfc131f2408508fe341f1	Patch
https://github.com/discourse/discourse/commit/c14f8f52b7999328bd9f8665f2ecfa24dadc4bf1	Patch
https://github.com/discourse/discourse/commit/f2aafa5c7467c94fcd4ebd36785a98e77ca088cc	Patch
https://github.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

History

25 Mar 2026, 00:59

Type	Values Removed	Values Added
First Time		Discourse Discourse discourse
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:discourse:discourse:2026.3.0::::latest::: cpe:2.3:a:discourse:discourse::::::::
References	~~() https://github.com/discourse/discourse/commit/43a5a60b595f0120e6adfc131f2408508fe341f1 -~~	() https://github.com/discourse/discourse/commit/43a5a60b595f0120e6adfc131f2408508fe341f1 - Patch
References	~~() https://github.com/discourse/discourse/commit/c14f8f52b7999328bd9f8665f2ecfa24dadc4bf1 -~~	() https://github.com/discourse/discourse/commit/c14f8f52b7999328bd9f8665f2ecfa24dadc4bf1 - Patch
References	~~() https://github.com/discourse/discourse/commit/f2aafa5c7467c94fcd4ebd36785a98e77ca088cc -~~	() https://github.com/discourse/discourse/commit/f2aafa5c7467c94fcd4ebd36785a98e77ca088cc - Patch
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv - Vendor Advisory
Summary		(es) Discourse es una plataforma de discusión de código abierto. Antes de las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2, el método onebox en el modelo SharedAiConversation renderiza el título de la conversación directamente en HTML sin una sanitización adecuada. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. Como solución alternativa, restrinja el acceso cambiando la configuración del sitio 'ai_bot_public_sharing_allowed_groups'.

19 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 21:17

Updated : 2026-03-25 00:59

NVD link : CVE-2026-27570

Mitre link : CVE-2026-27570

CVE.ORG link : CVE-2026-27570

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10