Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted conversation titles. This payload would execute in the browser of any user viewing the onebox preview, potentially allowing session hijacking or unauthorized actions on behalf of the victim. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
References
Configurations
Configuration 1 (hide)
|
History
09 Apr 2026, 19:31
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/discourse/discourse/commit/cac7d618a562ce934f8dbf73cdb70066a4806b4c - Patch | |
| References | () https://github.com/discourse/discourse/security/advisories/GHSA-pjc5-8x3w-rfwx - Vendor Advisory | |
| CPE | cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:* cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| First Time |
Discourse
Discourse discourse |
03 Apr 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
31 Mar 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-31 18:16
Updated : 2026-04-09 19:31
NVD link : CVE-2026-32243
Mitre link : CVE-2026-32243
CVE.ORG link : CVE-2026-32243
JSON object : View
Products Affected
discourse
- discourse
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')