CVE-2026-33395
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Tags
Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.
Analysis
Authenticated users can inject persistent JavaScript through malicious DOT graph definitions in the discourse-graphviz plugin on Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, enabling stored XSS attacks when Content Security Policy is disabled. Affected instances should upgrade to patched versions, disable the plugin, or enforce a CSP as a temporary mitigation, as no patch is currently available for all deployment scenarios.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today