Cross-site scripting in Discourse - CVE-2026-53962

 

Cross-site scripting in Discourse - CVE-2026-53962

Published: July 1, 2026


Vulnerability identifier: #VU136600
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-53962
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.

The vulnerability exists due to insufficient sanitization in SVG handling when processing crafted SVG content via specific URLs. A remote user can supply crafted content and trick the victim into visiting specific URLs to execute arbitrary script code in the victim's browser.

User interaction is required to visit specific URLs, which are not normally part of the community browsing experience. The issue occurs only under some site configurations.


How to mitigate CVE-2026-53962

Install security update from vendor's website.

Sources