๐Ÿ” CVE Alert

CVE-2026-53963

HIGH 7.3

Discourse: Stored-XSS in 2FA delete confirmation modal

CVSS Score
7.3
EPSS Score
0.4%
EPSS Percentile
31th

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CWE CWE-79
Vendor discourse
Product discourse
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new high vulnerabilities affecting discourse discourse are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

discourse / discourse
>= 2026.1.0-latest, < 2026.1.5 >= 2026.4.0-latest, < 2026.4.2 >= 2026.5.0-latest, < 2026.5.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/discourse/discourse/security/advisories/GHSA-wg5x-7f23-m3r5 github.com: https://github.com/discourse/discourse/commit/40de62cddadc65c328a1028ab999f3fa94adbfed github.com: https://github.com/discourse/discourse/commit/529e17d4d570a48972e7cf64720e5dd1fdf23ca8 github.com: https://github.com/discourse/discourse/commit/d92973e51a46cf6dd20c71e6068e6769b67eea5b github.com: https://github.com/discourse/discourse/commit/daea5214d833eacbdd3b1a78d99eb14e9cabd915 github.com: https://github.com/discourse/discourse/releases/tag/v2026.1.5 github.com: https://github.com/discourse/discourse/releases/tag/v2026.4.2 github.com: https://github.com/discourse/discourse/releases/tag/v2026.5.1 github.com: https://github.com/discourse/discourse/releases/tag/v2026.6.0