PT-2026-26433 · Discourse · Discourse-Graphviz+1
Davidtaylorhq
·
Published
2026-03-19
·
Updated
2026-03-27
·
CVE-2026-33395
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2026.3.0-latest.1
Discourse versions prior to 2026.2.1
Discourse versions prior to 2026.1.2
Description
Discourse is an open-source discussion platform. The discourse-graphviz plugin contains a stored cross-site scripting (XSS) issue that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. This is only possible on instances where the Content Security Policy (CSP) is disabled.
Recommendations
Versions prior to 2026.3.0-latest.1: Disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.
Versions prior to 2026.2.1: Disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.
Versions prior to 2026.1.2: Disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse
Discourse-Graphviz