CVE-2026-33411 - Vulnerability Details

- Discourse's solved topic stream has potential stored XSS in topic title

Description

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Published: 2026-03-20

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Discourse forums allow administrators to post topics. This vulnerability stems from insufficient sanitization of topic titles in the solved posts stream. As a result, an attacker could store malicious JavaScript in a title. When a user opens the solved stream, the injected script would execute in the victim’s browser, giving the attacker control over the client context. Based on the description, it is inferred that such execution could lead to session hijacking or other client‑side attacks.

Affected Systems

Discourse, the open‑source discussion platform, is affected. All instances running any version earlier than the following patched releases are vulnerable: 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Versions that include the patch sanitize the title rendering for the solved stream. The affected products are identified by the CPE strings that reference the core Discourse application.

Risk and Exploitability

The CVSS base score of 5.4 indicates a moderate severity for this stored XSS flaw. The EPSS score of less than 1 % suggests a low probability of exploitation in the near term. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Attackers would need the ability to create or edit a topic in the solved stream and rely on users visiting that page to trigger the embedded script. While the likelihood of exploitation is low, the impact on user data and trust warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

discourse

affected

Version	Status	Constraints
`>= 2026.1.0-latest, < 2026.1.2`	affected	—
`>= 2026.2.0-latest, < 2026.2.1`	affected	—
`= 2026.3.0-latest`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

No data.

Vendor Product Confidence Versions

Discourse

100%

Version	Status	Scheme	Platform
`[2026.1.0-latest,2026.1.2)`	affected	semver	—
`[2026.2.0-latest,2026.2.1)`	affected	semver	—
`2026.3.0-latest`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a patched release (2026.3.0-latest.1, 2026.2.1, or 2026.1.2) or newer.
If an upgrade cannot be performed immediately, ensure that a Content Security Policy is enabled and has not been altered to allow inline scripts or unsafe sources.
Review topic title inputs to confirm they are properly sanitized before storage.

Generated by OpenCVE AI on March 24, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2

History

Tue, 24 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:discourse:discourse:::::::: cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

Tue, 24 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Discourse Discourse discourse
Vendors & Products		Discourse Discourse discourse

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.
Title		Discourse's solved topic stream has potential stored XSS in topic title
Weaknesses		CWE-79
References		https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Discourse Discourse

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-20T22:58:14.546Z

Updated: 2026-03-24T18:03:07.240Z

Reserved: 2026-03-19T17:02:34.171Z

Link: CVE-2026-33411

Vulnrichment

Updated: 2026-03-24T18:02:58.208Z

NVD

Status : Analyzed

Published: 2026-03-20T23:16:47.660

Modified: 2026-03-24T21:11:01.230

Link: CVE-2026-33411

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:33:57Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object