What is the CVSS score of CVE-2025-48062?

CVE-2025-48062 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Discourse are affected by CVE-2025-48062?

Discourse versions prior to the patched release contain a remote code execution vulnerability (CVSS 7.1) that could allow attackers to execute arbitrary code on affected community platform instances.. A patch is available.

How to fix or mitigate CVE-2025-48062?

Within 24 hours: Identify all Discourse instances in your environment and document current versions. Within 7 days: Apply the vendor-released patch to all Discourse deployments and validate successful updates in a test environment first. Within 30 days: Conduct a security audit of Discourse access logs for suspicious activity during the vulnerability window and verify no unauthorized code execution occurred.

Discourse CVE-2025-48062

EUVD-2025-17465 HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-06-09 security-advisories@github.com

Code Injection Discourse

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:43 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.5.0.beta5,3.5.0.beta6-dev,3.4.4

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17465

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

CVE Published

Jun 09, 2025 - 13:15 nvd

HIGH 7.1

DescriptionGitHub Advisory

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch. This can be worked around if the relevant templates are overridden without {topic_title}.

AnalysisAI

A remote code execution vulnerability in Discourse (CVSS 7.1). High severity vulnerability requiring prompt remediation.

Technical ContextAI

CWE-79 (Cross-site Scripting). CVSS 7.1 indicates high severity. Affects Discourse.

RemediationAI

Monitor vendor channels for patch availability.

More from same product – last 7 days

CVE-2026-44786 HIGH This Week

7.5 Jun 12

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa

CVE-2026-45775 MEDIUM This Month

6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi

CVE-2026-44784 MEDIUM This Month

6.5 Jun 12

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m

CVE-2026-44783 MEDIUM This Month

5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte

CVE-2026-45085 MEDIUM This Month

5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both

CVE-2025-48062 vulnerability details – vuln.today

Back