Stored Cross-Site Scripting in Discourse Platforms
CVE-2026-53963

7.3HIGH

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-53963?

Discourse, an open-source discussion platform, had a vulnerability where the deletion confirmation dialog did not properly escape the name of a malicious second factor on an attacker-controlled account. This flaw allowed for stored cross-site scripting when an administrator impersonated that account. The vulnerability has been addressed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, securing the platform from potential exploitation.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.5 < 2026.1.0-latest, 2026.1.5

discourse >= 2026.4.0-latest, < 2026.4.2 < 2026.4.0-latest, 2026.4.2

discourse >= 2026.5.0-latest, < 2026.5.1 < 2026.5.0-latest, 2026.5.1

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.