Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Discourse - CVE-2026-32273
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to improper neutralization of script-related html tags in category description update handling via API when processing a user-supplied description string. A remote user can submit a crafted category description via the API to execute arbitrary script in a victim's browser.
User interaction is required for the crafted content to be viewed.