JavaScript Injection Vulnerability in Discourse Discussion Platform
CVE-2026-55424

7.4HIGH

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-55424?

The Discourse discussion platform was found to have a vulnerability where users could inject JavaScript into the topic list through improperly normalized featured links. This issue arose in versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, especially when default Content Security Policy protections were modified or disabled. This flaw poses a significant risk to web application security by enabling potential cross-site scripting (XSS) attacks, which could compromise user data and the integrity of discussions. It is crucial for users of affected versions to update to a patched release to mitigate this risk.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.5 < 2026.1.0-latest, 2026.1.5

discourse >= 2026.4.0-latest, < 2026.4.2 < 2026.4.0-latest, 2026.4.2

discourse >= 2026.5.0-latest, < 2026.5.1 < 2026.5.0-latest, 2026.5.1

References

CVSS V4

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.