Cross-site scripting in Discourse - CVE-2025-48877
Published: June 9, 2025 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the iframe scope.
The vulnerability exists due to improper neutralization of active content in embedded CodePen iframe handling when rendering user-supplied embedded CodePen content. A remote user can include a crafted CodePen embed to execute arbitrary JavaScript in the iframe scope.
The issue is related to CodePen being present in the default allowed_iframes site setting.