CVE-2026-33395
Received Received - Intake
Stored XSS in Discourse Graphviz Plugin Allows Script Injection

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33395
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the discourse-graphviz plugin of the Discourse platform prior to certain patched versions. It is a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions.

The vulnerability only affects instances where the Content Security Policy (CSP) is disabled. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 include patches that fix this issue.

Impact Analysis

An attacker who is an authenticated user can exploit this vulnerability to inject malicious JavaScript code into the platform. This can lead to cross-site scripting attacks, potentially compromising user sessions, stealing sensitive information, or performing actions on behalf of other users.

The impact is limited to instances where the Content Security Policy is disabled, which otherwise would help mitigate such attacks.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the stored cross-site scripting (XSS) vulnerability in the discourse-graphviz plugin, you should take one or more of the following immediate steps:

  • Disable the graphviz plugin in your Discourse instance.
  • Upgrade Discourse to one of the patched versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.
  • Enable a Content Security Policy (CSP) to prevent execution of malicious scripts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33395. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart