CVE-2024-52794

MEDIUM

Discourse - Cross-Site Scripting via Lightbox Thumbnail Click

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-52794. PoCs published by Beesco00.

AI-analyzed exploit summary This repository contains a detailed writeup for CVE-2024-52794, a stored XSS vulnerability in Discourse. The vulnerability allows arbitrary JavaScript execution via malicious filenames in uploaded images, affecting topics, comments, and direct messages.

Description

Discourse is an open source platform for community discussion. Users clicking on the lightbox thumbnails could be affected. This problem is patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (1)

nomisec WRITEUP
by Beesco00 · poc
https://github.com/Beesco00/CVE-2024-52794-Discourse-Stored-XSS

This repository contains a detailed writeup for CVE-2024-52794, a stored XSS vulnerability in Discourse. The vulnerability allows arbitrary JavaScript execution via malicious filenames in uploaded images, affecting topics, comments, and direct messages.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Discourse (≤ 3.3.2, ≤ 3.4.0.beta3)
Auth required
Prerequisites: User account with upload permissions
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 6.8
EPSS 0.0027
EPSS Percentile 19.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
discourse/discourse 3.4.0 beta1 (3 CPE variants)
discourse/discourse < 3.3.2
discourse/discourse < 3.4.0
Published Dec 19, 2024
Tracked Since Feb 18, 2026