CVE-2026-33395 PUBLISHED

Discourse has stored click‑based XSS via Graphviz SVG javascript: links

Assigner: GitHub_M
Reserved: 19.03.2026 Published: 19.03.2026 Updated: 19.03.2026

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 4.4

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	discourse
Product	discourse
Versions	Version >= 2026.1.0-latest, < 2026.1.2 is affected Version >= 2026.2.0-latest, < 2026.2.1 is affected Version = 2026.3.0-latest is affected

References

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE