Skip to main content

Discourse CVE-2026-53963

| EUVDEUVD-2026-42738 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 security-advisories@github.com
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.0 CRITICAL

Attacker needs only a normal account (PR:L) but relies on an admin impersonation action (UI:R); XSS crosses into the admin's higher-authority session (S:C) with full impact on that context.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jul 14, 2026 - 01:44 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 14, 2026 - 01:43 vuln.today
Analysis Updated
Jul 14, 2026 - 01:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 01:37 vuln.today
cvss_changed
Severity Changed
Jul 14, 2026 - 01:37 NVD
HIGH CRITICAL
CVSS changed
Jul 14, 2026 - 01:37 NVD
7.3 (HIGH) 9.0 (CRITICAL)
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:33 vuln.today

DescriptionNVD

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

AnalysisAI

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malicious two-factor authenticator name that executes JavaScript in an administrator's browser when that admin impersonates the account and opens the 2FA delete confirmation dialog. Affected builds are Discourse before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, spanning the 2026.1.x through 2026.6.x release lines. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or control a forum account
Delivery
Set 2FA name to XSS payload
Exploit
Admin impersonates the account
Execution
Admin opens 2FA delete dialog
Persist
Payload executes in admin browser
Impact
Hijack admin session/privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a controllable Discourse account on which they set a malicious, HTML-bearing second-factor (2FA) method name, and - critically - requires an administrator to (1) use the impersonation feature on that specific account and (2) open the two-factor authenticator delete confirmation dialog, where the unescaped name is rendered. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H = 9.0) drives the critical rating largely through the scope change (S:C) and high triple impact, reflecting that code executes in a high-authority admin session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or controls an ordinary forum account and adds a TOTP/security-key second factor whose name is an HTML payload such as '<img src=x onerror="window.__xssTriggered=true">'. Later, an administrator investigating that user impersonates the account and opens the second-factor delete confirmation dialog, at which point the payload executes in the admin's authenticated browser session, enabling actions such as CSRF-token theft or admin-privileged API calls. …
Remediation Vendor-released patch: upgrade to 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5, whichever matches your release branch (release notes at https://github.com/discourse/discourse/releases/tag/v2026.6.0, /v2026.5.1, /v2026.4.2, and /v2026.1.5; fix commit 40de62cddadc65c328a1028ab999f3fa94adbfed). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Discourse installations and identify those running versions 2026.1.x through 2026.6.x before the fixed releases. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-48954 HIGH POC
8.1 Jun 25

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun

CVE-2024-47773 HIGH POC
8.2 Oct 08

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem

CVE-2021-3138 HIGH POC
7.5 Jan 14

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated

CVE-2023-38706 MEDIUM POC
6.5 Sep 15

Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2024-53991 MEDIUM POC
5.9 Dec 19

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r

CVE-2025-48877 CRITICAL
9.8 Jun 09

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu

CVE-2023-47121 CRITICAL
9.8 Nov 10

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-41163 CRITICAL
9.8 Oct 20

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-49765 CRITICAL
9.1 Dec 19

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2022-39356 HIGH
8.8 Nov 02

Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2026-27934 HIGH
8.7 Mar 19

Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and

CVE-2023-48297 HIGH
8.6 Jan 12

Discourse is a platform for community discussion. Rated high severity (CVSS 8.6), this vulnerability is remotely exploit

Share

CVE-2026-53963 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy