Description
giscus is a commenting system powered by GitHub Discussions. A bug in giscus' discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3
Patch x_refsource_misc
https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389
Patch x_refsource_misc
https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a
Scores
CVSS v3
5.3
EPSS
0.0022
EPSS Percentile
43.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (1)
giscus/giscus
< c43af7806e65adfcf4d0feeebef76dc36c95cb9a
Published
Jul 07, 2025
Tracked Since
Feb 18, 2026