Cross-Site Scripting Vulnerability in Discourse Discussion Platform
CVE-2026-32243

5.3MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-32243?

Discourse, a popular open-source discussion platform, is affected by a cross-site scripting vulnerability that allows attackers to inject arbitrary HTML and JavaScript via specially crafted conversation titles. Users who create shared AI conversations within the affected versions risk exposing their sessions or performing unauthorized actions. This critical issue has been addressed in subsequent patches, emphasizing the need for users to upgrade to the secure versions to mitigate potential threats.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.3 < 2026.1.0-latest, 2026.1.3

discourse >= 2026.2.0-latest, < 2026.2.2 < 2026.2.0-latest, 2026.2.2

discourse >= 2026.3.0-latest, < 2026.3.0 < 2026.3.0-latest, 2026.3.0

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/cac7d618a56...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32243 Data

JSON