Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Published: 2026-02-26
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows a malicious account to embed arbitrary HTML into its full name, which is rendered without sanitization when the user posts are viewed. When an editor modifies a post belonging to that account, the unsanitized HTML is injected into all browsers viewing the edited post, enabling attackers to steal session cookies, deface content, or execute additional client‑side scripts. This is a classic Cross‑Site Scripting flaw (CWE‑79).

Affected Systems

Discourse, the open‑source discussion platform, is impacted in all releases older than 2025.12.2, 2026.1.1, and 2026.2.0. The defect manifests only when the settings `display_name_on_posts` is true and `prioritize_username_in_ux` is false, causing raw user names to be output as raw HTML. Any installation running a vulnerable version with these settings should be considered at risk.

Risk and Exploitability

The CVSS base score is 1.3, indicating a low severity, and the EPSS probability is below 1 %, reflecting a very low chance of exploitation. The vulnerability is not listed in CISA’s KEV catalog. It is inferred that exploitation requires an authenticated user with permission to edit posts, and the effect is limited to browsers that render the malicious user name from posts edited by the attacker. Consequently, while the overall risk remains low, any publicly exposed Discourse instance with the problematic settings may still be exposed to XSS attacks.

Generated by OpenCVE AI on April 17, 2026 at 14:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to a patched release (2025.12.2, 2026.1.1, 2026.2.0, or the latest stable version).
  • After upgrading, review or remove any user display names that contain unsanitized HTML to eliminate residual risk.
  • Continuously monitor Discourse release notes and apply new security updates as they become available to maintain protection against future vulnerabilities.

Generated by OpenCVE AI on April 17, 2026 at 14:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Title Discourse has XSS when editing a malicious post
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T20:57:00.349Z

Reserved: 2026-02-18T00:18:53.962Z

Link: CVE-2026-27154

cve-icon Vulnrichment

Updated: 2026-03-02T20:56:47.060Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T22:20:47.730

Modified: 2026-03-02T18:13:16.807

Link: CVE-2026-27154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses