Primary

Context

Discourse HTML Injection Vulnerability via Prohibited iframe URLs

Vulnerability

Patched

A vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows for HTML injection. Insufficient cleanup in the default Codepen iframe allowance can be exploited to manipulate the main page URL. This issue requires user interaction to be exploited.

Impact

Exploitation of this vulnerability could lead to unauthorized URL manipulation on the affected user's main page.

Reproduction

The vulnerability can be reproduced by embedding an iframe with a URL that includes URL-encoded path traversal into a Codepen that allows iframes. When the Codepen is rendered, the main page URL will be altered, demonstrating the injection flaw.

Remediation

Users can remove Codepen from the list of allowed iframes to mitigate this vulnerability.

Added: Mar 19, 2026, 9:41 PM

Updated: Mar 19, 2026, 9:41 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.2

exploitability

4.0

remediation

8.3

relevance

4.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.2

exploitability

4.0

remediation

8.3

relevance

4.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse HTML Injection Vulnerability via Prohibited iframe URLs

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating