Discourse Cross-Site Scripting Vulnerability in AI Triage Automation

A cross-site scripting vulnerability has been identified in Discourse, an open-source discussion platform. This issue affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability arises because the system improperly trusts raw output from an AI Large Language Model (LLM), rendering it in the Review Queue interface using htmlSafe without sufficient sanitization. Malicious attackers can exploit this by using valid Prompt Injection techniques to manipulate the AI into delivering harmful payloads, such as tags. When a Staff member (Admin or Moderator) reviews the flagged post, the injected payload executes, leading to a stored cross-site scripting vulnerability.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user reviewing the flagged post.

Reproduction

The vulnerability can be reproduced by creating a post that triggers the AI triage automation. This can be done by injecting a prompt that includes malicious HTML, such as an image tag with an 'onerror' event. Once the AI processes this input and the post is flagged, a Staff member can review it in the Review Queue, where the injected HTML will be executed.

Remediation

Users can upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, all of which include the necessary patch. Alternatively, AI triage automation scripts can be temporarily disabled.