XSS Vulnerability in Discourse Open-Source Discussion Platform
CVE-2025-54411

2.4LOW

Key Information:

Vendor

Discourse
Status
Discourse
Vendor
CVE Published:
19 August 2025

What is CVE-2025-54411?

The Discourse open-source discussion platform has a vulnerability that allows for Cross-Site Scripting (XSS) attacks through the welcome banner user name string for logged-in users. This flaw can potentially allow an attacker to execute harmful scripts affecting users' sessions or perform actions as an admin impersonating a user. Specifically, administrators can modify the welcome banner text, which lacks proper handling of the preferred_display_name placeholder. It is crucial for users to upgrade to Discourse version 3.5.0.beta8 or later to mitigate this risk.

Affected Version(s)

discourse < 3.5.0.beta8

References

https://github.com/discourse/discourse/security/advisorie...
x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/a3374d2850f...
x_refsource_MISC

CVSS V4

Score:
2.4
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.