Cross-site scripting in Discourse - CVE-2021-41095
Published: September 27, 2021 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.
The vulnerability exists due to cross-site scripting in error message rendering when displaying blocked watched words containing user input. A remote user can submit crafted input to execute arbitrary script code in a victim's browser.
This only affects sites that have blocked watched words containing HTML tags and have modified or disabled the default Content Security Policy.