Discourse Stored Cross-Site Scripting Vulnerability in Graphviz Plugin

A stored cross-site scripting vulnerability has been identified in the Discourse graphviz plugin, affecting versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. This vulnerability allows authenticated users to inject malicious JavaScript into DOT graph definitions. The issue arises in instances where the Content Security Policy (CSP) is disabled.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, create a post with Graphviz content that includes a DOT definition. The definition can be crafted to include JavaScript URLs, such as 'javascript:alert(1)'. After posting, the injected script will execute when the post is viewed.

Remediation

Users can upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, all of which include the necessary patch. Alternatively, the graphviz plugin can be disabled or a Content Security Policy can be enabled.