Stored Cross-Site Scripting in Discourse Platforms
CVE-2026-53963
7.3HIGH
What is CVE-2026-53963?
Discourse, an open-source discussion platform, had a vulnerability where the deletion confirmation dialog did not properly escape the name of a malicious second factor on an attacker-controlled account. This flaw allowed for stored cross-site scripting when an administrator impersonated that account. The vulnerability has been addressed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, securing the platform from potential exploitation.
Affected Version(s)
discourse >= 2026.1.0-latest, < 2026.1.5 < 2026.1.0-latest, 2026.1.5
discourse >= 2026.4.0-latest, < 2026.4.2 < 2026.4.0-latest, 2026.4.2
discourse >= 2026.5.0-latest, < 2026.5.1 < 2026.5.0-latest, 2026.5.1