Cross-Site Scripting Vulnerability in Discourse Open Source Discussion Platform
CVE-2025-48954

8.1HIGH

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 25 June 2025

What is CVE-2025-48954?

A vulnerability has been identified in Discourse, an open-source discussion platform, affecting versions prior to 3.5.0.beta6. This risk arises when the content security policy is not enabled for users authenticating via social logins, potentially allowing malicious scripts to be executed. To mitigate this issue, users are advised to update to version 3.5.0.beta6 or enable the content security policy as a workaround. Ensuring effective security measures is crucial for safeguarding user data.

Affected Version(s)

discourse < 3.5.0.beta6

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2025
Vulnerability Reserved
May 28, 2025