Discourse Stored Cross-Site Scripting Vulnerability in Assignment UI

A stored cross-site scripting vulnerability has been identified in Discourse, an open-source discussion platform. This issue affects versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. The vulnerability arises when the hidden 'prioritize_full_name_in_ux' site setting is enabled, which allows users with assignment permissions to inject arbitrary HTML or JavaScript. This injected content is executed in the browsers of users viewing the affected topics. The vulnerability is present in several assignment-related user interface paths, including assignment tags in topic lists, first-post assignment displays, small action descriptions, mobile footer buttons, and topic-level unassign menus.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, enable the 'prioritize_full_name_in_ux' site setting via the console. Then, assign a user or group to a topic, injecting unescaped HTML or JavaScript, such as an image tag, into the name. This injection can be done through the Discourse user interface by assigning a user or group with a name that includes the malicious payload. Once the injection is made, the payload will be executed in the browser of anyone viewing the topic.

Remediation

Users are advised to update Discourse to version 2026.1.3, 2026.2.2, or 2026.3.0, where this vulnerability has been patched.