Insufficient SVG Sanitization in Discourse's Upload Handling
CVE-2026-53962
5.4MEDIUM
What is CVE-2026-53962?
Discourse, an open-source discussion platform, was exposed to cross-site scripting due to insufficient sanitization of SVG files in user uploads and avatars. Users could be affected when visiting specific URLs that aren't typically accessed in community browsing. The issue has been addressed in subsequent releases, specifically versions 2026.1.5, 2026.4.2, 2026.5.1, and the latest 2026.6.0, ensuring robust security measures against this XSS vulnerability.
Affected Version(s)
discourse >= 2026.1.0-latest, < 2026.1.5 < 2026.1.0-latest, 2026.1.5
discourse >= 2026.4.0-latest, < 2026.4.2 < 2026.4.0-latest, 2026.4.2
discourse >= 2026.5.0-latest, < 2026.5.1 < 2026.5.0-latest, 2026.5.1