Cross-site scripting in Discourse - CVE-2026-53963
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to cross-site scripting in the 2FA delete confirmation modal when rendering a malicious 2FA name. A remote user can use a malicious name for a 2FA on an attacker-controlled account to escalate privileges.
User interaction is required when an administrator impersonates the attacker-controlled account.