PT-2026-26361 · Discourse · Discourse
Nlgbao1340
·
Publicado
2026-03-19
·
Atualizado
2026-04-10
·
CVE-2026-27740
CVSS v3.1
6.1
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2026.3.0-latest.1
Discourse versions prior to 2026.2.1
Discourse versions prior to 2026.1.2
Description
Discourse, an open-source discussion platform, is affected by a cross-site scripting issue. The system improperly trusts and renders output from an AI Large Language Model (LLM) using
htmlSafe within the Review Queue interface, lacking sufficient sanitization. An attacker can leverage Prompt Injection techniques to make the AI generate a malicious payload, such as tags. When a staff member (Admin/Moderator) views a flagged post in the Review Queue, this payload is executed.Recommendations
Versions prior to 2026.3.0-latest.1 should be updated.
Versions prior to 2026.2.1 should be updated.
Versions prior to 2026.1.2 should be updated.
As a temporary workaround, disable AI triage automation scripts.
Exploit
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Discourse