Skip to main content

Discourse CVE-2026-53962

| EUVDEUVD-2026-42734 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 security-advisories@github.com
5.4
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L because any registered user can upload SVGs; UI:R because victim must navigate to specific non-standard URLs; S:C for cross-origin JavaScript execution in victim's browser context.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:46 vuln.today

DescriptionCVE.org

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

AnalysisAI

Stored cross-site scripting in Discourse's SVG upload and user avatar handling allows authenticated users to inject malicious JavaScript that executes in victims' browsers when they visit specific non-standard URLs. The CVSS scope change (S:C) reflects that successful exploitation crosses the browser security boundary, enabling session token theft or account takeover against victims who visit the triggering URL. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register low-privilege Discourse account
Delivery
Upload crafted SVG with embedded JavaScript payload
Exploit
Identify or construct triggering non-standard URL
Execution
Lure authenticated victim to triggering URL
Persist
XSS payload executes in victim browser
Impact
Exfiltrate session token or perform privileged action

Vulnerability AssessmentAI

Exploitation An authenticated Discourse account with upload privileges is required (PR:L - any registered forum member qualifies under default configurations). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium score reflects the constrained but real impact: PR:L confirms any registered user can supply the malicious payload, while UI:R and the advisory's disclosure that the XSS only fires at 'specific URLs not normally part of community browsing' materially bounds opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing low-privilege account on a target Discourse instance, uploads a crafted SVG file containing an embedded JavaScript payload as their avatar or a file attachment, then socially engineers an administrator or privileged user into visiting the specific non-standard URL that triggers SVG rendering in-browser. Upon visiting that URL, the victim's browser executes the attacker's JavaScript, potentially exfiltrating session tokens or performing administrative actions on the attacker's behalf. …
Remediation The primary fix is to upgrade Discourse to one of the vendor-patched releases: v2026.6.0, v2026.5.1, v2026.4.2, or v2026.1.5, all available via the GitHub releases page (https://github.com/discourse/discourse/releases). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-48954 HIGH POC
8.1 Jun 25

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun

CVE-2024-47773 HIGH POC
8.2 Oct 08

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem

CVE-2021-3138 HIGH POC
7.5 Jan 14

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated

CVE-2023-38706 MEDIUM POC
6.5 Sep 15

Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2024-53991 MEDIUM POC
5.9 Dec 19

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r

CVE-2025-48877 CRITICAL
9.8 Jun 09

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu

CVE-2023-47121 CRITICAL
9.8 Nov 10

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-41163 CRITICAL
9.8 Oct 20

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-49765 CRITICAL
9.1 Dec 19

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2026-53963 CRITICAL
9.0 Jul 09

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici

CVE-2022-39356 HIGH
8.8 Nov 02

Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2026-27934 HIGH
8.7 Mar 19

Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and

Share

CVE-2026-53962 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy