CVE-2026-33411 PUBLISHED

Discourse's solved topic stream has potential stored XSS in topic title

Assigner: GitHub_M
Reserved: 19.03.2026 Published: 20.03.2026 Updated: 20.03.2026

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	discourse
Product	discourse
Versions	Version >= 2026.1.0-latest, < 2026.1.2 is affected Version >= 2026.2.0-latest, < 2026.2.1 is affected Version = 2026.3.0-latest is affected

References

https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE