Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Discourse - CVE-2025-58054
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute script in the victim's browser.
The vulnerability exists due to cross-site scripting in the rich text editor quote message functionality when parsing and rendering chat channel titles and chat thread titles. A remote user can craft a malicious title and trigger quote message rendering to execute script in the victim's browser.
User interaction is required to view content rendered through the quote message functionality in the rich text editor.