CVE-2026-27166

MEDIUM5.4EPSS 0.05%

Discourse vulnerable to HTML injection via prohibited iframe URLs

Published: 3/27/2026Modified: 4/2/2026

Description

Discourse is an open source discussion platform. Prior to versions 2026.3.0, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0, 2026.2.1 and 2026.1.2. To workaround this issue, remove Codepen from the list of allowed iframes.

Affected packages (1)

Bitnami/discourse>= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (3)

WEBhttps://github.com/discourse/discourse/commit/c4762a4fac2f61f52f325396b11d3aeb955ea925
WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27166