PT-2026-5181 · Discourse · Discourse+1
Published
2026-01-28
·
Updated
2026-02-09
·
CVE-2025-67723
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.5.4
Discourse versions prior to 2025.11.2
Discourse versions prior to 2025.12.1
Discourse versions prior to 2026.1.0
Description
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 contain a content-security-policy-mitigated cross-site scripting issue within the Discourse Math plugin when utilizing its KaTeX variant. The issue is addressed in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0.
Recommendations
Discourse versions prior to 3.5.4: Upgrade to version 3.5.4 or later.
Discourse versions prior to 2025.11.2: Upgrade to version 2025.11.2 or later.
Discourse versions prior to 2025.12.1: Upgrade to version 2025.12.1 or later.
Discourse versions prior to 2026.1.0: Upgrade to version 2026.1.0 or later.
As a temporary workaround, disable the Discourse Math plugin.
As a temporary workaround, use the Mathjax provider instead of KaTeX.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse
Discourse Math Plugin