Cross-site scripting in Discourse - CVE-2026-27570
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.
The vulnerability exists due to cross-site scripting in the SharedAiConversation onebox method when rendering a shared AI conversation title into HTML. A remote user can create a shared AI conversation with a crafted title to execute arbitrary script code in a victim's browser.