Cross-site scripting in Discourse - CVE-2025-48062

 

Cross-site scripting in Discourse - CVE-2025-48062

Published: June 9, 2025 / Updated: July 1, 2026


Vulnerability identifier: #VU136106
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-48062
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to inject HTML into the email body and disclose sensitive information.

The vulnerability exists due to improper neutralization of input during web page generation in invite email templates when including a topic title containing HTML in invitation emails. A remote user can invite someone to a private message or to a topic with a custom message using a crafted topic title to inject HTML into the email body and disclose sensitive information.

The issue affects certain invitations sent to recipients without an account.


How to mitigate CVE-2025-48062

Install security update from vendor's website.

Sources