Cross-site scripting in Discourse - CVE-2025-48062
Published: June 9, 2025 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to inject HTML into the email body and disclose sensitive information.
The vulnerability exists due to improper neutralization of input during web page generation in invite email templates when including a topic title containing HTML in invitation emails. A remote user can invite someone to a private message or to a topic with a custom message using a crafted topic title to inject HTML into the email body and disclose sensitive information.
The issue affects certain invitations sent to recipients without an account.