Cross-site scripting in Discourse - CVE-2026-27740
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in a staff member's browser.
The vulnerability exists due to improper neutralization of script-related html tags in the Review Queue interface when rendering raw AI LLM output with htmlSafe. A remote user can use prompt injection techniques to cause the AI to return a malicious payload to execute arbitrary script code in a staff member's browser.
User interaction is required when a staff member views the flagged post in the Review Queue.