Cross-site scripting in Discourse - CVE-2021-37633
Published: August 7, 2021 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in d-popover and d-html-popover attribute rendering when rendering tooltip content. A remote attacker can supply crafted content to execute arbitrary script in a victim's browser.
This vulnerability only affects sites that have modified or disabled the default Content Security Policy.