Cross-site scripting in Discourse - CVE-2025-67723
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to perform cross-site scripting.
The vulnerability exists due to improper neutralization of input during web page generation in the discourse-math plugin KaTeX variant when rendering mathematical content. A remote user can submit specially crafted content to perform cross-site scripting.
Content Security Policy mitigates the impact, and user interaction is required to view the crafted content.