Cross-site scripting in Discourse - CVE-2026-32243
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.
The vulnerability exists due to cross-site scripting in the discourse-ai shared conversations onebox preview when rendering crafted conversation titles. A remote user can create a shared AI conversation with a specially crafted title to execute arbitrary script code in the victim's browser.
This may allow session hijacking or unauthorized actions on behalf of the victim.