CVE-2025-48062
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-09

Last updated on: 2025-09-26

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-09
Last Modified
2025-09-26
Generated
2026-05-07
AI Q&A
2025-06-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-48062
EUVD
EUVD-2025-17465
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
discourse discourse to 3.4.4 (exc)
discourse discourse to 3.5.0 (exc)
discourse discourse 3.5.0
discourse discourse 3.5.0
discourse discourse 3.5.0
discourse discourse 3.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-48062 is an HTML injection vulnerability in Discourse versions prior to 3.4.4 and 3.5.0.beta5. When inviting users via email to a topic or private message, if the topic title contains HTML code, that HTML is injected directly into the email body. This affects invitations sent to users without accounts and can include custom messages. The vulnerability allows malicious HTML to be included in emails, potentially leading to security risks. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to inject malicious HTML into invitation emails sent to users without accounts. This can lead to unauthorized access to sensitive information (high confidentiality impact), as the injected HTML could be used to steal data or perform phishing attacks. The attack requires low privileges and no user interaction, making it easier to exploit. However, the integrity impact is low and availability is not affected. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can involve monitoring outgoing invitation emails for HTML content in the topic title field that could indicate HTML injection. Specifically, inspect emails sent to users without accounts that include invitations to topics or private messages. There are no specific commands provided in the resources, but searching email logs or intercepting SMTP traffic for suspicious HTML in invitation emails referencing topic titles may help identify exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include overriding the relevant email templates (such as /admin/email/templates/invite_mailer) to exclude the {topic_title} variable, thereby preventing HTML injection in the email content. Additionally, upgrading Discourse to version 3.4.4 or later (for the stable branch) or to 3.5.0.beta5 or later (for the beta branch) will patch the vulnerability. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart