CVE-2026-33395

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1	Patch
https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee	Patch
https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5	Patch
https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

History

24 Mar 2026, 19:46

Type	Values Removed	Values Added
CPE		cpe:2.3:a:discourse:discourse:2026.3.0::::latest::: cpe:2.3:a:discourse:discourse::::::::
First Time		Discourse Discourse discourse
Summary		(es) Discourse es una plataforma de discusión de código abierto. Antes de las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2, el plugin discourse-graphviz contiene una vulnerabilidad de cross-site scripting (XSS) almacenado que permite a los usuarios autenticados inyectar código JavaScript malicioso a través de definiciones de gráficos DOT. Solo para instancias con CSP deshabilitado. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. Como solución alternativa, deshabilite el plugin graphviz, actualice a una versión parcheada o habilite una política de seguridad de contenido.
References	~~() https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1 -~~	() https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1 - Patch
References	~~() https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee -~~	() https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee - Patch
References	~~() https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5 -~~	() https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5 - Patch
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v - Mitigation, Vendor Advisory

19 Mar 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 23:16

Updated : 2026-03-24 19:46

NVD link : CVE-2026-33395

Mitre link : CVE-2026-33395

CVE.ORG link : CVE-2026-33395

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.4 /10