Cross-site scripting in Discourse - CVE-2026-55424
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript code in the victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in the topic featured link rendering in the topic list when rendering a user-supplied featured link. A remote user can set a crafted featured link to execute arbitrary JavaScript code in the victim's browser.
This issue is exploitable only on sites that have modified or disabled the default Content Security Policy, and any user viewing a topic list containing the affected topic may be targeted.