CVE-2026-33411
Received Received - Intake
Stored XSS in Discourse Topic Titles Affects Post Streams

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33411
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue found in the Discourse open-source discussion platform. It affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability exists in the topic titles for the solved posts stream, where malicious scripts can be injected and stored. When other users view these topic titles, the malicious scripts may execute in their browsers.

A patch addressing this vulnerability is included in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. As a temporary workaround, enabling and properly configuring the Content Security Policy (CSP) can help mitigate the risk by restricting the execution of unauthorized scripts.

Impact Analysis

This stored XSS vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected topic titles. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement of content, or spreading malware.

The CVSS base score of 5.4 indicates a medium severity, meaning the impact is significant but not critical. The vulnerability requires network access and low privileges but does not require user interaction.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, ensure that your Discourse installation is updated to one of the patched versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

As a workaround, make sure that the Content Security Policy (CSP) is enabled and has not been modified in a way that would increase vulnerability to XSS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart