CVE-2026-32607
Received Received - Intake
Stored XSS in Discourse Assignment UI via Unescaped Display Names

Publication date: 2026-03-31

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabled (defaults to false, requires console access to change), user and group display names are rendered without HTML escaping in several assignment-related UI paths. This allows users with assign permission to inject arbitrary HTML/JavaScript that executes in the browser of any user viewing an affected topic. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32607
EUVD
EUVD-2026-17552
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discourse discourse 2026.3.0
discourse discourse From 2026.1.0 (inc) to 2026.1.3 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.2 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows users with assign permission to inject arbitrary HTML or JavaScript that executes in the browsers of other users viewing affected topics. Such cross-site scripting (XSS) attacks can potentially compromise the confidentiality and integrity of user interactions within the Discourse platform.

While the vulnerability impacts confidentiality and integrity at the application level, it does not affect system availability. The ability to execute malicious scripts in users' browsers could lead to unauthorized access to sensitive information or manipulation of user data, which may have implications for compliance with standards like GDPR and HIPAA that require protection of personal data and secure user interactions.

Mitigation involves updating to patched versions of Discourse where proper HTML escaping is enforced, reducing the risk of data exposure or unauthorized actions that could violate regulatory requirements.

Executive Summary

CVE-2026-32607 is a stored Cross-Site Scripting (XSS) vulnerability in the Discourse open-source discussion platform. It occurs when the hidden site setting 'prioritize_full_name_in_ux' is enabled, which is off by default and requires console access to activate. Under this condition, user and group display names are rendered without proper HTML escaping in several assignment-related user interface components. This flaw allows users with assign permissions to inject arbitrary HTML or JavaScript code that executes in the browsers of any users viewing the affected topics.

The vulnerability affects multiple UI paths including assignment tags in topic lists, first-post assignment indicators, small action post descriptions, mobile footer buttons, and the topic-level unassign menu. The root cause is that user and group names are inserted into HTML without sanitization, enabling malicious script injection.

This issue has been fixed in Discourse versions 2026.1.3, 2026.2.2, and 2026.3.0 by applying proper HTML escaping to user and group names before rendering.

Impact Analysis

This vulnerability allows an attacker with assign permissions to inject malicious HTML or JavaScript code into the Discourse platform's assignment-related UI components. When other users view the affected topics, the injected code executes in their browsers.

The impact includes potential compromise of confidentiality and integrity of user interactions, such as stealing session information, performing actions on behalf of users, or displaying misleading content. However, it does not affect system availability.

The severity is rated as Low with a CVSS v4 base score of 2.1, requiring low privileges and user interaction.

Detection Guidance

This vulnerability can be detected by checking if your Discourse instance is running a vulnerable version and if the hidden site setting `prioritize_full_name_in_ux` is enabled.

Specifically, verify the Discourse version to see if it falls within the vulnerable ranges: 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, or 2026.3.0-latest to before 2026.3.0.

Also confirm if the `prioritize_full_name_in_ux` setting is enabled, which is disabled by default and requires console access to change.

Since the vulnerability involves stored Cross-Site Scripting (XSS) via user or group display names in assignment-related UI components, you can attempt to detect it by inspecting assignment-related UI elements for unescaped HTML or JavaScript.

There are no specific network or system commands provided in the resources to detect this vulnerability automatically.

Mitigation Strategies

The primary and recommended mitigation is to update your Discourse installation to a patched version.

  • Upgrade to Discourse version 2026.1.3 or later if you are on the 2026.1.x branch.
  • Upgrade to Discourse version 2026.2.2 or later if you are on the 2026.2.x branch.
  • Upgrade to Discourse version 2026.3.0 or later if you are on the 2026.3.x branch.

If immediate upgrading is not possible, consider disabling the `prioritize_full_name_in_ux` site setting, which is disabled by default and requires console access to change, to prevent the vulnerability from being exploitable.

Ensure that only trusted users have assign permissions, as the vulnerability requires assign permission to exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart