Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Discourse - CVE-2025-58054

 

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Discourse - CVE-2025-58054

Published: July 1, 2026


Vulnerability identifier: #VU136109
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-58054
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to execute script in the victim's browser.

The vulnerability exists due to cross-site scripting in the rich text editor quote message functionality when parsing and rendering chat channel titles and chat thread titles. A remote user can craft a malicious title and trigger quote message rendering to execute script in the victim's browser.

User interaction is required to view content rendered through the quote message functionality in the rich text editor.


How to mitigate CVE-2025-58054

Install security update from vendor's website.

Sources