Discourse
Moderate fix3 remedies
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 2026.1.0-latest, < 2026.1.3
- >= 2026.2.0-latest, < 2026.2.2
- >= 2026.3.0-latest, < 2026.3.0
Discourse Stored Cross-Site Scripting Vulnerability in Shared AI Conversations Onebox
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in Discourse versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. This vulnerability allows an attacker to inject arbitrary HTML and JavaScript into shared AI conversation titles. The injected payload would execute in the browser of any user viewing the onebox preview, potentially leading to session hijacking or unauthorized actions on behalf of the victim.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the onebox preview.
Reproduction
To reproduce this vulnerability, create a shared AI conversation and inject a title containing malicious HTML or JavaScript, such as an image tag with an event handler. Once the conversation is shared, the onebox preview will execute the injected script in the browser of anyone viewing it.
Remediation
Users are advised to update Discourse to version 2026.1.3, 2026.2.2, or 2026.3.0.
Added: Mar 31, 2026, 6:51 PM
Updated: Mar 31, 2026, 6:51 PM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
1.7exploitability
4.0remediation
7.7relevance
5.0threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.