CVE-2026-33395
Received Received - Intake
Stored XSS in Discourse Graphviz Plugin Allows Script Injection

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33395
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the discourse-graphviz plugin of the Discourse platform prior to certain patched versions. It is a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions.

The vulnerability only affects instances where the Content Security Policy (CSP) is disabled. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 include patches that fix this issue.


How can this vulnerability impact me? :

An attacker who is an authenticated user can exploit this vulnerability to inject malicious JavaScript code into the platform. This can lead to cross-site scripting attacks, potentially compromising user sessions, stealing sensitive information, or performing actions on behalf of other users.

The impact is limited to instances where the Content Security Policy is disabled, which otherwise would help mitigate such attacks.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate the stored cross-site scripting (XSS) vulnerability in the discourse-graphviz plugin, you should take one or more of the following immediate steps:

  • Disable the graphviz plugin in your Discourse instance.
  • Upgrade Discourse to one of the patched versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.
  • Enable a Content Security Policy (CSP) to prevent execution of malicious scripts.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart