Primary

Context

Discourse Content-Security-Policy-Mitigated Cross-Site Scripting Vulnerability in Math Plugin

Vulnerability

Patched

A cross-site scripting vulnerability has been identified in the Discourse Math plugin, specifically in its KaTeX variant. This issue is present in Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The vulnerability is mitigated by the content security policy, but it still allows for stored cross-site scripting.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where malicious scripts can be injected and executed.

Remediation

Users can update to Discourse versions 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. Alternatively, the Discourse Math plugin can be disabled or the Mathjax provider can be used instead of KaTeX.

Added: Jan 28, 2026, 7:31 PM

Updated: Jan 28, 2026, 7:31 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.7

exploitability

2.6

remediation

8.3

relevance

2.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.7

exploitability

2.6

remediation

8.3

relevance

2.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Content-Security-Policy-Mitigated Cross-Site Scripting Vulnerability in Math Plugin

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating