๐Ÿ” CVE Alert

CVE-2026-53962

MEDIUM 5.4

Discourse: Insufficient SVG sanitization logic

CVSS Score
5.4
EPSS Score
0.3%
EPSS Percentile
18th

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CWE CWE-79
Vendor discourse
Product discourse
Published Jul 9, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new medium vulnerabilities affecting discourse discourse are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

discourse / discourse
>= 2026.1.0-latest, < 2026.1.5 >= 2026.4.0-latest, < 2026.4.2 >= 2026.5.0-latest, < 2026.5.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/discourse/discourse/security/advisories/GHSA-jmcf-3367-78vv github.com: https://github.com/discourse/discourse/commit/3ee8343cd7f00d59d8513bee0a12e02d50bfc358 github.com: https://github.com/discourse/discourse/commit/810c2715799fd08b06fd6ffc664d9562fe9ea6ff github.com: https://github.com/discourse/discourse/commit/92a699d89b84685b6fdd63cd0d0e371793c69dad github.com: https://github.com/discourse/discourse/commit/b8ceb49f4ba52257be30eb3c2ce51a5bf03be5fe github.com: https://github.com/discourse/discourse/releases/tag/v2026.1.5 github.com: https://github.com/discourse/discourse/releases/tag/v2026.4.2 github.com: https://github.com/discourse/discourse/releases/tag/v2026.5.1 github.com: https://github.com/discourse/discourse/releases/tag/v2026.6.0