CVE-2026-32243

MEDIUM

Discourse: Stored XSS in discourse-ai shared conversations onebox

Title source: cna

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted conversation titles. This payload would execute in the browser of any user viewing the onebox preview, potentially allowing session hijacking or unauthorized actions on behalf of the victim. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References (2)

[X_Refsource_Confirm] https://github.com/discourse/discourse/security/advisories/GHSA-pjc5-8x3w-rfwx

[X_Refsource_Misc] https://github.com/discourse/discourse/commit/cac7d618a562ce934f8dbf73cdb70066a4806b4c

View Writeup ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 8.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (5)

discourse/discourse 2026.3.0 (2 CPE variants)

discourse/discourse 2026.1.0 - 2026.1.3

discourse/discourse >= 2026.1.0-latest, < 2026.1.3

discourse/discourse >= 2026.2.0-latest, < 2026.2.2

discourse/discourse >= 2026.3.0-latest, < 2026.3.0

Published Mar 31, 2026

Tracked Since Mar 31, 2026