Cross-site scripting in Discourse - CVE-2026-33395
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to inject malicious JavaScript code.
The vulnerability exists due to cross-site scripting in the discourse-graphviz plugin when processing DOT graph definitions. A remote user can submit a specially crafted graph definition to inject malicious JavaScript code.
Only instances with CSP disabled are vulnerable. User interaction is required to view the stored content.