Description
Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx
Scores
CVSS v3
4.6
EPSS
0.0019
EPSS Percentile
8.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-116
Status
published
Products (3)
discourse/discourse
2025.12.0
discourse/discourse
2026.1.0
discourse/discourse
< 3.5.4
Published
Jan 28, 2026
Tracked Since
Feb 18, 2026