Cross-site scripting in Discourse - CVE-2024-52794
Published: December 19, 2024 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in a user's browser.
The vulnerability exists due to cross-site scripting in the magnific lightbox feature when handling lightbox thumbnail clicks. A remote user can craft malicious content that is triggered when a user clicks a lightbox thumbnail to execute arbitrary script code in a user's browser.
User interaction is required to click a lightbox thumbnail.