CVE-2026-55420 PUBLISHED

Discourse: Remote code execution via pdf uploads

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 09.07.2026 Updated: 09.07.2026

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.5

Product Status

Vendor discourse
Product discourse
Versions
  • Version >= 2026.5.0-latest, < 2026.5.1 is affected
  • Version >= 2026.4.0-latest, < 2026.4.2 is affected
  • Version >= 2026.1.0-latest, < 2026.1.5 is affected

References

Problem Types

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE