Skip to main content

Discourse EUVDEUVD-2025-33227

| CVE-2025-58054 LOW
Basic XSS (CWE-80)
2025-10-01 security-advisories@github.com
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 13, 2026 - 18:18 euvd
EUVD-2025-33227
Analysis Generated
Mar 13, 2026 - 18:18 vuln.today
Patch released
Oct 23, 2025 - 15:09 nvd
Patch available
CVE Published
Oct 01, 2025 - 19:15 nvd
LOW 3.5

DescriptionGitHub Advisory

Discourse is an open-source community discussion platform. Versions 3.5.0 and below are vulnerable to XSS attacks through parsing and rendering of chat channel titles and chat thread titles via the quote message functionality when using the rich text editor. This issue is fixed in version 3.5.1.

Analysis

Discourse is an open-source community discussion platform. Versions 3.5.0 and below are vulnerable to XSS attacks through parsing and rendering of chat channel titles and chat thread titles via the quote message functionality when using the rich text editor. This issue is fixed in version 3.5.1.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding. This vulnerability is classified as Basic XSS (CWE-80).

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Share

EUVD-2025-33227 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy