Primary

Context

Discourse Unauthenticated Domain Injection Vulnerability in Authorization Page

Vulnerability

Patched

A vulnerability exists in Discourse, an open-source discussion platform, prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. This vulnerability allows an unauthenticated attacker to manipulate a legitimate Discourse authorization page to display an attacker-controlled domain. This could facilitate social engineering attacks against users.

Impact

Exploitation of this vulnerability could lead to social engineering attacks, as it allows an attacker to inject a malicious domain into an authorization page, potentially deceiving users.

Remediation

Users are advised to update to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

Added: Mar 21, 2026, 12:27 AM

Updated: Mar 21, 2026, 12:27 AM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.2

exploitability

4.4

remediation

7.7

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.2

exploitability

4.4

remediation

7.7

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Unauthenticated Domain Injection Vulnerability in Authorization Page

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating