PT-2026-26360 · Discourse · Discourse
Nlgbao1340
·
Publicado
2026-03-19
·
Atualizado
2026-03-27
·
CVE-2026-27570
CVSS v3.1
6.1
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2026.3.0-latest.1
Discourse versions prior to 2026.2.1
Discourse versions prior to 2026.1.2
Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. This could allow for potential issues related to the display of conversation titles.
Recommendations
Update Discourse to version 2026.3.0-latest.1 or later.
Update Discourse to version 2026.2.1 or later.
Update Discourse to version 2026.1.2 or later.
As a workaround, tighten access by changing the
ai bot public sharing allowed groups site setting.Exploit
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Discourse