Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attacker needs only a normal account (PR:L) but relies on an admin impersonation action (UI:R); XSS crosses into the admin's higher-authority session (S:C) with full impact on that context.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionNVD
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
AnalysisAI
Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malicious two-factor authenticator name that executes JavaScript in an administrator's browser when that admin impersonates the account and opens the 2FA delete confirmation dialog. Affected builds are Discourse before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, spanning the 2026.1.x through 2026.6.x release lines. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a controllable Discourse account on which they set a malicious, HTML-bearing second-factor (2FA) method name, and - critically - requires an administrator to (1) use the impersonation feature on that specific account and (2) open the two-factor authenticator delete confirmation dialog, where the unescaped name is rendered. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H = 9.0) drives the critical rating largely through the scope change (S:C) and high triple impact, reflecting that code executes in a high-authority admin session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or controls an ordinary forum account and adds a TOTP/security-key second factor whose name is an HTML payload such as '<img src=x onerror="window.__xssTriggered=true">'. Later, an administrator investigating that user impersonates the account and opens the second-factor delete confirmation dialog, at which point the payload executes in the admin's authenticated browser session, enabling actions such as CSRF-token theft or admin-privileged API calls. … |
| Remediation | Vendor-released patch: upgrade to 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5, whichever matches your release branch (release notes at https://github.com/discourse/discourse/releases/tag/v2026.6.0, /v2026.5.1, /v2026.4.2, and /v2026.1.5; fix commit 40de62cddadc65c328a1028ab999f3fa94adbfed). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Discourse installations and identify those running versions 2026.1.x through 2026.6.x before the fixed releases. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun
Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated
Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r
Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is
Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and
Discourse is a platform for community discussion. Rated high severity (CVSS 8.6), this vulnerability is remotely exploit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42738