CVE-2025-48954

MEDIUM6.1EPSS 10.1%

Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow

Published: 7/1/2025Modified: 11/13/2025

Also known as:GHSA-26p5-mjjh-wfcfBIT-discourse-2025-48954

Description

Discourse is an open-source discussion platform. Versions prior to 3.5.0 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0 patches the issue. As a workaround, have the content security policy enabled.

Affected packages (1)

Bitnami/discoursefrom 0, < 3.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-26p5-mjjh-wfcf
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-48954