CVE-2024-53266

MEDIUM5.4EPSS 0.21%

Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse

Published: 2/20/2025Modified: 8/27/2025

Description

Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled.

Affected packages (1)

Bitnami/discoursefrom 0, < 3.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-53266