Insufficient SVG Sanitization in Discourse's Upload Handling
CVE-2026-53962

5.4MEDIUM

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-53962?

Discourse, an open-source discussion platform, was exposed to cross-site scripting due to insufficient sanitization of SVG files in user uploads and avatars. Users could be affected when visiting specific URLs that aren't typically accessed in community browsing. The issue has been addressed in subsequent releases, specifically versions 2026.1.5, 2026.4.2, 2026.5.1, and the latest 2026.6.0, ensuring robust security measures against this XSS vulnerability.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.5 < 2026.1.0-latest, 2026.1.5

discourse >= 2026.4.0-latest, < 2026.4.2 < 2026.4.0-latest, 2026.4.2

discourse >= 2026.5.0-latest, < 2026.5.1 < 2026.5.0-latest, 2026.5.1

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.