PT-2026-26341 · Discourse · Discourse
Davidtaylorhq
·
Published
2026-03-19
·
Updated
2026-03-27
·
CVE-2026-27166
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2026.3.0-latest.1
Discourse versions prior to 2026.2.1
Discourse versions prior to 2026.1.2
Description
Discourse is an open source discussion platform. Insufficient cleanup in the default Codepen allowed iframes value enables an attacker to manipulate a user into changing the URL of the main page. The issue involves the handling of iframes within the Codepen functionality.
Recommendations
Versions prior to 2026.3.0-latest.1: Remove Codepen from the list of allowed iframes.
Versions prior to 2026.2.1: Remove Codepen from the list of allowed iframes.
Versions prior to 2026.1.2: Remove Codepen from the list of allowed iframes.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse