A vulnerability allows an attacker to submit an unfiltered string when updating a category description via the API, resulting in Cross‑Site Scripting. The flaw does not perform input sanitization, which means the website can render malicious JavaScript in the content area of category pages. This client‑side code execution can potentially manipulate page content or access browser cookies, but the CVE description only confirms the presence of XSS behavior without detailing specific downstream effects.

The issue affects the Discourse discussion platform. Versions 2026.1.0 through the last build before 2026.1.3, 2026.2.0 through the last build before 2026.2.2, and 2026.3.0 through the last build before 2026.3.0 are vulnerable. The vulnerability was resolved in releases 2026.1.3, 2026.2.2, and 2026.3.0 for the respective versions.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1 % suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known large‑scale exploitation. Attackers would need to reach the API endpoint that updates category descriptions, which typically requires authenticated access. The likely attack vector, inferred from the use of the API, is an authenticated request from a privileged user or a misconfigured back‑end service that can post the unsanitized payload. Once the unsanitized content appears on the category page, any user who views that page may be exposed to the injected script.