CVE-2026-27570
EPSS 0.02%Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox
Published: 3/27/2026Modified: 4/2/2026
Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, tighten access by changing the `ai_bot_public_sharing_allowed_groups` site setting.
Affected packages (1)
- Bitnami/discourse>= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
References (5)
- WEBhttps://github.com/discourse/discourse/commit/43a5a60b595f0120e6adfc131f2408508fe341f1
- WEBhttps://github.com/discourse/discourse/commit/c14f8f52b7999328bd9f8665f2ecfa24dadc4bf1
- WEBhttps://github.com/discourse/discourse/commit/f2aafa5c7467c94fcd4ebd36785a98e77ca088cc
- WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27570