Discourse Cross-Site Scripting Vulnerability in Category Description Update via API

A cross-site scripting (XSS) vulnerability has been identified in Discourse, an open-source discussion platform. This issue affects versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. The vulnerability arises because the API does not properly sanitize category descriptions when they are updated, allowing malicious users to inject scripts that could be executed in the context of the user.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user.

Reproduction

To reproduce this vulnerability, update a category description via the Discourse API without proper sanitization. Include a script tag in the description to demonstrate the XSS injection. After the update, the injected script will be executed, confirming the presence of the vulnerability.

Remediation

Users can update to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0, where this vulnerability has been patched. Additionally, ensure that the Content Security Policy is enabled and not modified in a way that could increase vulnerability to XSS attacks.