Cross-site scripting in Discourse - CVE-2026-53962
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.
The vulnerability exists due to insufficient sanitization in SVG handling when processing crafted SVG content via specific URLs. A remote user can supply crafted content and trick the victim into visiting specific URLs to execute arbitrary script code in the victim's browser.
User interaction is required to visit specific URLs, which are not normally part of the community browsing experience. The issue occurs only under some site configurations.