Cross-site scripting in Discourse - CVE-2026-27166
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to modify the URL of the main page.
The vulnerability exists due to improper neutralization of input in the default Codepen allowed iframes value when processing prohibited iframe URLs. A remote user can craft content that tricks a user into changing the URL of the main page to modify the URL of the main page.
User interaction is required.