Cross-site scripting in Discourse - CVE-2026-32607
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of a user viewing an affected topic.
The vulnerability exists due to cross-site scripting in assignment-related UI rendering paths when rendering unescaped user or group display names. A remote user can set a crafted assignee name to execute arbitrary JavaScript in the browser of a user viewing an affected topic.
Only sites with the assign plugin enabled and the hidden prioritize_full_name_in_ux site setting manually enabled via console are vulnerable.