CVE-2026-32243

Name of the Vulnerable Software and Affected Versions Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 through 2026.3.0.

Description Discourse, an open-source discussion platform, is affected by a flaw that allows an attacker who can create shared AI conversations to inject arbitrary HTML and JavaScript through crafted conversation titles. This injected code executes in the browser of users viewing the onebox preview, potentially leading to session hijacking or unauthorized actions.

Recommendations Update to Discourse version 2026.1.3 or later. Update to Discourse version 2026.2.2 or later. Update to Discourse version 2026.3.0 or later.