CVE-2026-27166

MEDIUM5.4EPSS 0.06%

Discourse vulnerable to HTML injection via prohibited iframe URLs

發布日:2026/3/27修改日:2026/4/2

也稱為:GHSA-h653-cq78-vjj2BIT-discourse-2026-27166

描述

Discourse is an open source discussion platform. Prior to versions 2026.3.0, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0, 2026.2.1 and 2026.1.2. To workaround this issue, remove Codepen from the list of allowed iframes.

受影響套件(1)

Bitnami/discourse>= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

參考連結(3)

WEBhttps://github.com/discourse/discourse/commit/c4762a4fac2f61f52f325396b11d3aeb955ea925
WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27166