EUVD-2026-13192CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, tighten access by changing the `ai_bot_public_sharing_allowed_groups` site setting.
Analysis
Reflected cross-site scripting in Discourse AI conversation sharing allows unauthenticated attackers to inject malicious scripts through improperly sanitized conversation titles in the onebox rendering feature. An attacker can craft a malicious shared conversation link to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session tokens or performing unauthorized actions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running the SharedAiConversation model renders the conversation titl and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today