Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a cross-site scripting vulnerability that arises because the system trusts the raw output from an AI Large Language Model (LLM) and renders it using htmlSafe in the Review Queue interface without adequate sanitization. A malicious attacker can use valid Prompt Injection techniques to force the AI to return a malicious payload (e.g., tags). When a Staff member (Admin/Moderator) views the flagged post in the Review Queue, the payload executes. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, temporarily disable AI triage automation scripts.
Published: 2026-03-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS in Admin Review Queue
Action: Patch Now
AI Analysis

Impact

Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 trust raw AI output when showing flagged posts in the Review Queue, rendering it with htmlSafe without proper sanitization. An attacker who can manipulate the AI’s prompt to produce malicious HTML or JavaScript will have that code executed in the browser of any staff member who opens the flagged post. This stored cross‑site scripting allows the attacker to hijack staff sessions, run arbitrary code inside the forum’s web context, and potentially compromise the entire installation.

Affected Systems

The vulnerability affects the Discourse open‑source discussion platform, specifically any instance running older releases before 2026.3.0-latest.1, 2026.2.1, or 2026.1.2. The corrected releases include the patch, as evidenced by the commits linked in the advisory.

Risk and Exploitability

The CVSS score is 5.1 and the EPSS probability is less than 1 %, indicating a moderate severity with low exploitation likelihood. However, because the flaw permits a prompt‑injection attack that stores malicious payloads for privileged users, a single successful injection grants persistent malicious code execution for any staff member viewing the content. The vulnerability is not listed in CISA’s KEV catalog, but because it directly affects privileged session integrity, timely remediation is critical.

Generated by OpenCVE AI on March 25, 2026 at 03:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched Discourse release (2026.3.0‑latest.1, 2026.2.1, or 2026.1.2).
  • If an upgrade cannot be performed immediately, temporarily disable the AI Triage Automation scripts to block automated content rendering.
  • Ensure that all AI‑generated output is sanitized before rendering in the Review Queue.
  • Monitor logs for suspicious or malformed input and XSS attempts.

Generated by OpenCVE AI on March 25, 2026 at 03:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a cross-site scripting vulnerability that arises because the system trusts the raw output from an AI Large Language Model (LLM) and renders it using htmlSafe in the Review Queue interface without adequate sanitization. A malicious attacker can use valid Prompt Injection techniques to force the AI to return a malicious payload (e.g., tags). When a Staff member (Admin/Moderator) views the flagged post in the Review Queue, the payload executes. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, temporarily disable AI triage automation scripts.
Title Discourse has Stored XSS in AI Triage Automation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:10:38.878Z

Reserved: 2026-02-23T18:37:14.790Z

Link: CVE-2026-27740

cve-icon Vulnrichment

Updated: 2026-03-20T17:03:21.908Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:09.410

Modified: 2026-03-25T00:58:33.730

Link: CVE-2026-27740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:54Z

Weaknesses