CVE-2021-41163

CRITICAL

Discourse - Remote Code Execution via Unvalidated subscribe_url

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-41163. PoCs published by ibrahmsql.

AI-analyzed exploit summary This is a functional exploit PoC for CVE-2021-41163, targeting Discourse's theme import functionality to achieve remote code execution. The exploit crafts a malicious theme ZIP file with JavaScript, CSS, and template injection payloads, then uploads it via an authenticated admin session.

Description

Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.

Exploits (2)

nomisec WORKING POC 3 stars

by ibrahmsql · poc

https://github.com/ibrahmsql/CVE-2021-41163

View Code ZIP pw:eip

This is a functional exploit PoC for CVE-2021-41163, targeting Discourse's theme import functionality to achieve remote code execution. The exploit crafts a malicious theme ZIP file with JavaScript, CSS, and template injection payloads, then uploads it via an authenticated admin session.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Discourse < 2.7.8, Discourse < 2.8.0.beta6

Auth required

Prerequisites: Authenticated admin access to Discourse · Network access to the target Discourse instance · Ability to upload theme files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by ibrahmsql · poc

https://github.com/ibrahmsql/discourse-CVE-2021-41163

View Code ZIP pw:eip

This is a functional exploit PoC for CVE-2021-41163, targeting Discourse's theme import functionality to achieve remote code execution. It includes multiple payload types (JavaScript, CSS, Handlebars, etc.) and attempts privilege escalation if admin access is not initially available.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Discourse < 2.7.8, Discourse < 2.8.0.beta6

Auth required

Prerequisites: Admin access or privilege escalation via bypass techniques · Network access to the Discourse instance

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq

Patch, Third Party Advisory x_refsource_misc

https://github.com/discourse/discourse/commit/fa3c46cf079d28b086fe1025349bb00223a5d5e9

View Patch ZIP pw:eip

Scores

CVSS v3 10.0

EPSS 0.1981

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-74

Status published

Products (2)

discourse/discourse 2.8.0 beta1 (6 CPE variants)

discourse/discourse < 2.7.9

Published Oct 20, 2021

Tracked Since Feb 18, 2026