Cross-site scripting in Discourse - CVE-2026-55424

 

Cross-site scripting in Discourse - CVE-2026-55424

Published: July 1, 2026


Vulnerability identifier: #VU136601
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-55424
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript code in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the topic featured link rendering in the topic list when rendering a user-supplied featured link. A remote user can set a crafted featured link to execute arbitrary JavaScript code in the victim's browser.

This issue is exploitable only on sites that have modified or disabled the default Content Security Policy, and any user viewing a topic list containing the affected topic may be targeted.


How to mitigate CVE-2026-55424

Install security update from vendor's website.

Sources