PT-2025-24432 · Discourse · Discourse
Tghxworld
·
Published
2025-06-09
·
Updated
2025-10-01
·
CVE-2025-48062
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.4.4
Discourse version 3.5.0.beta5 and earlier of the beta branch
Discourse version 3.5.0.beta6-dev and earlier of the tests-passed branch
Description
The issue concerns HTML injection in email bodies when the topic title includes HTML, affecting certain email invites. This includes inviting someone without an account to a private message or a topic with a custom message.
Recommendations
For versions prior to 3.4.4, update to version 3.4.4 or later.
For version 3.5.0.beta5 and earlier of the beta branch, update to version 3.5.0.beta5 or later.
For version 3.5.0.beta6-dev and earlier of the tests-passed branch, update to version 3.5.0.beta6-dev or later.
As a temporary workaround, consider overriding the relevant templates without
{topic title} to prevent HTML injection.Exploit
Fix
Improper Encoding or Escaping of Output
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Discourse