JavaScript Injection Vulnerability in Discourse Discussion Platform
CVE-2026-55424
What is CVE-2026-55424?
The Discourse discussion platform was found to have a vulnerability where users could inject JavaScript into the topic list through improperly normalized featured links. This issue arose in versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, especially when default Content Security Policy protections were modified or disabled. This flaw poses a significant risk to web application security by enabling potential cross-site scripting (XSS) attacks, which could compromise user data and the integrity of discussions. It is crucial for users of affected versions to update to a patched release to mitigate this risk.
Affected Version(s)
discourse >= 2026.1.0-latest, < 2026.1.5 < 2026.1.0-latest, 2026.1.5
discourse >= 2026.4.0-latest, < 2026.4.2 < 2026.4.0-latest, 2026.4.2
discourse >= 2026.5.0-latest, < 2026.5.1 < 2026.5.0-latest, 2026.5.1