What is the CVSS score of CVE-2025-48954?

CVE-2025-48954 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 14.0%.

Which versions of Discourse are affected by CVE-2025-48954?

Discourse instances with disabled Content Security Policy are vulnerable to reflected XSS attacks through social login endpoints, allowing unauthenticated attackers to steal session tokens and…. A patch is available.

Is there a public PoC exploit available for CVE-2025-48954?

Yes, a public proof-of-concept exploit is available for CVE-2025-48954. Prioritise patching immediately. EPSS: 14.0%.

How to fix or mitigate CVE-2025-48954?

Within 24 hours: Audit all Discourse instances to identify versions prior to 3.5.0.beta6 and verify CSP configuration status. Within 7 days: Upgrade to Discourse 3.5.0.beta6 or later; if immediate upgrade is not feasible, enable Content Security Policy. Within 30 days: Conduct post-patch validation, review authentication logs for suspicious social login activity, and implement security awareness training regarding malicious link risks.

Discourse CVE-2025-48954

EUVD-2025-28274 HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-06-25 security-advisories@github.com

XSS Discourse

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:36 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.5.0.beta6

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-28274

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

CVE Published

Jun 25, 2025 - 14:15 nvd

HIGH 8.1

DescriptionGitHub Advisory

Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.

AnalysisAI

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login functionality that is only exploitable when Content Security Policy (CSP) is disabled. An unauthenticated attacker can craft a malicious link leveraging social authentication endpoints to inject arbitrary JavaScript, potentially stealing session tokens, credentials, or performing actions on behalf of the victim. The vulnerability requires user interaction (clicking a malicious link) but has high impact on confidentiality and integrity with no availability impact.

Technical ContextAI

This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability specific to Discourse's social login authentication handlers. The root cause appears to be insufficient input sanitization or output encoding in the social login callback/processing endpoints when CSP is not active to provide a secondary XSS defense. Discourse (CPE identifier: cpe:2.3:a:discourse:discourse) is a Ruby on Rails-based discussion platform; the vulnerability likely exists in the OmniAuth integration layer or social provider callback handlers that process untrusted user input from OAuth providers or redirect parameters without proper encoding. The vulnerability is context-dependent on CSP being disabled, indicating that Discourse intentionally relies on CSP as a primary XSS mitigation in production deployments. Affected versions: Discourse < 3.5.0.beta6.

More from same product – last 7 days

CVE-2026-44786 HIGH This Week

7.5 Jun 12

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa

CVE-2026-45775 MEDIUM This Month

6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi

CVE-2026-44784 MEDIUM This Month

6.5 Jun 12

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m

CVE-2026-44783 MEDIUM This Month

5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte

CVE-2026-45085 MEDIUM This Month

5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both

CVE-2025-48954 vulnerability details – vuln.today

Back