CVE-2026-33395

MEDIUM 4.4

Discourse has stored click‑based XSS via Graphviz SVG javascript: links

CVSS Score

4.4

EPSS Score

0.0%

EPSS Percentile

8th

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.

CWE	CWE-79
Vendor	discourse
Product	discourse
Published	Mar 19, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new medium vulnerabilities affecting discourse discourse are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

discourse / discourse

>= 2026.1.0-latest, < 2026.1.2 >= 2026.2.0-latest, < 2026.2.1 = 2026.3.0-latest

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v github.com: https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1 github.com: https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee github.com: https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5