CVE-2026-32607

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 through 2026.3.0

Description Discourse is an open-source discussion platform. When the prioritize full name in ux site setting is enabled, user and group display names are rendered without HTML escaping in assignment-related UI paths. This allows users with assign permission to inject arbitrary HTML/JavaScript that executes in the browser of any user viewing an affected topic.

Recommendations Update to Discourse version 2026.1.3 or later. Update to Discourse version 2026.2.2 or later. Update to Discourse version 2026.3.0 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BIT-DISCOURSE-2026-32607

CVE-2026-32607

GHSA-XG68-Q7FF-6GQM

Affected Products

Discourse

CVE-2026-32607

Weakness Enumeration

Related Identifiers

Affected Products

References · 6