Skip to main content

Discourse CVE-2026-55424

| EUVDEUVD-2026-42733 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 security-advisories@github.com
7.4
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.4 MEDIUM

AC:H and UI:R capture the required non-default weakened-CSP config plus victim viewing the list; PR:L for the authenticated featured-link setter; S:C and C/I:L for cross-context script execution in the victim's browser.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:34 vuln.today

DescriptionCVE.org

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

AnalysisAI

Stored cross-site scripting in Discourse (before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5) lets a user with permission to set a topic "featured link" inject JavaScript that executes when the link is rendered in the topic list. Exploitation only succeeds where the platform's default Content Security Policy has been weakened or disabled, so out-of-the-box installs are protected in depth. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as featured-link-capable user
Delivery
Set topic featured link with JS payload
Exploit
Payload stored in topic list
Execution
Victim views topic list
Persist
CSP-weakened page executes script
Impact
Hijack victim session/act as user

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) an authenticated account with permission to set a topic "featured link" (PR:L); (2) the target instance must have its default Content Security Policy modified or disabled - on the shipped default CSP the injected JavaScript is blocked and the attack fails (this is the AT:P attack requirement); and (3) a victim must load the topic list where the malicious featured link is rendered (UI:P). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score is 7.4 (High) with vector AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-trust authenticated account on a Discourse instance whose administrators have relaxed or removed the default CSP creates or edits a topic and sets a malicious featured link crafted to inject JavaScript. When another user - potentially a moderator or admin - browses the topic list containing that entry, the script executes in their session, enabling session/cookie theft or actions performed as the victim. …
Remediation Vendor-released patch: upgrade to 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5 (choose the fixed release on your current branch) per advisory GHSA-695w-7fv8-mxg3; the fix corresponds to commits 1bce8881e4253d9bbab56f011a12ef899b926b59, 6679d9a5083488bae10c2adbb345c481c583242c, 6828aee9b15c2655d63b515ac919830bd540ff83, and c9b9405f5bd0bf0269e505e28e3aad388d7657c5. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit your Discourse instance's Content Security Policy configuration to confirm XSS protections are enabled and not custom-weakened. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-48954 HIGH POC
8.1 Jun 25

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun

CVE-2024-47773 HIGH POC
8.2 Oct 08

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem

CVE-2021-3138 HIGH POC
7.5 Jan 14

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated

CVE-2023-38706 MEDIUM POC
6.5 Sep 15

Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2024-53991 MEDIUM POC
5.9 Dec 19

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r

CVE-2025-48877 CRITICAL
9.8 Jun 09

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu

CVE-2023-47121 CRITICAL
9.8 Nov 10

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-41163 CRITICAL
9.8 Oct 20

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-49765 CRITICAL
9.1 Dec 19

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2026-53963 CRITICAL
9.0 Jul 09

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici

CVE-2022-39356 HIGH
8.8 Nov 02

Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2026-27934 HIGH
8.7 Mar 19

Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and

Share

CVE-2026-55424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy