Primary

Context

Discourse S3 Upload Vulnerability Allowing Script Execution in HTML/XML Files

Vulnerability

Patched

A vulnerability in Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows for the execution of scripts in uploaded HTML or XML files on S3. While the scripts can be executed, they will only run in the context of the S3/CDN domain, without any site credentials. This vulnerability affects users who utilize S3 for file uploads.

Impact

Exploitation of this vulnerability could lead to unauthorized script execution in the context of the S3/CDN domain, potentially allowing for malicious actions to be performed from that domain.

Remediation

Users can upgrade to Discourse versions 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 to address this vulnerability. As a workaround, HTML or XML files should be disallowed in the authorized_extensions for uploads. For sites with existing HTML or XML uploads, it is recommended to delete those files.

Added: Jan 28, 2026, 7:33 PM

Updated: Jan 28, 2026, 7:33 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.4

exploitability

2.4

remediation

8.3

relevance

2.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.4

exploitability

2.4

remediation

8.3

relevance

2.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse S3 Upload Vulnerability Allowing Script Execution in HTML/XML Files

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating