PT-2025-20284 · Discourse · Discourse Code Review Plugin
Lillinator
·
Published
2025-05-07
·
Updated
2025-08-20
·
CVE-2025-46824
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse Code Review Plugin versions prior to commit eed3a80
Description
The issue allows an attacker to execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This is a problem with the Discourse Code Review Plugin, which enables users to review GitHub commits on Discourse.
Recommendations
For versions prior to commit eed3a80, update to a version that includes commit eed3a80 to resolve the issue.
As a temporary workaround, consider disabling the Discourse Code Review Plugin until the update is applied.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse Code Review Plugin