Cross-site scripting in Discourse - CVE-2026-27166

 

Cross-site scripting in Discourse - CVE-2026-27166

Published: July 1, 2026


Vulnerability identifier: #VU136133
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27166
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to modify the URL of the main page.

The vulnerability exists due to improper neutralization of input in the default Codepen allowed iframes value when processing prohibited iframe URLs. A remote user can craft content that tricks a user into changing the URL of the main page to modify the URL of the main page.

User interaction is required.


How to mitigate CVE-2026-27166

Install security update from vendor's website.

Sources