CVE-2026-53963
Undergoing Analysis Undergoing Analysis - In Progress

Stored XSS in Discourse Due to Unescaped Second Factor Name

Vulnerability report for CVE-2026-53963, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
discourse discourse to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the two-factor authentication (2FA) delete confirmation dialog of Discourse. Detection involves identifying if any attacker-controlled 2FA method names contain malicious scripts that could execute when an administrator impersonates that account.

Since the vulnerability is related to malicious script injection in the 2FA method name, detection can be done by inspecting the 2FA method names stored in the Discourse database for suspicious or script-like content.

There are no specific commands provided in the resources, but a general approach would be to query the database for 2FA method names containing suspicious HTML or JavaScript code patterns such as <script> tags or event handlers.

  • Use SQL queries on the Discourse database to search for suspicious 2FA method names, for example: SELECT * FROM two_factor_methods WHERE name LIKE '%<script>%';
  • Review logs or UI interactions where administrators impersonate users and attempt to delete 2FA methods, monitoring for unexpected script execution or errors.

As a mitigation, enabling Content Security Policy (CSP) that blocks inline JavaScript can help reduce risk until the system is patched.

Compliance Impact

This vulnerability allows stored cross-site scripting (XSS) when an administrator impersonates an attacker-controlled account, potentially leading to unauthorized access or manipulation of sensitive information.

Such security issues can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure system access to prevent data breaches and unauthorized actions.

Failure to address this vulnerability could result in violations of these regulations due to compromised confidentiality and integrity of user data.

Executive Summary

This vulnerability exists in the Discourse open-source discussion platform prior to versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. It involves a stored cross-site scripting (XSS) issue where a malicious second factor name on an attacker-controlled account was not properly escaped in the delete confirmation dialog. This flaw could be triggered when an administrator impersonated the attacker-controlled account, allowing the execution of malicious scripts.

Impact Analysis

The vulnerability can lead to stored cross-site scripting attacks, which may allow an attacker to execute arbitrary scripts in the context of an administrator's browser session. This can result in the compromise of administrative privileges, unauthorized actions, or theft of sensitive information accessible to the administrator.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the fixed versions: 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart