๐Ÿ” CVE Alert

CVE-2026-55420

HIGH 7.5

Discourse: Remote code execution via pdf uploads

CVSS Score
7.5
EPSS Score
0.3%
EPSS Percentile
25th

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CWE CWE-78
Vendor discourse
Product discourse
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new high vulnerabilities affecting discourse discourse are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

discourse / discourse
>= 2026.5.0-latest, < 2026.5.1 >= 2026.4.0-latest, < 2026.4.2 >= 2026.1.0-latest, < 2026.1.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/discourse/discourse/security/advisories/GHSA-7wq5-jgww-5rw3 github.com: https://github.com/discourse/discourse/commit/ca5a7e06167561928556afa2f237d67e459c6914 github.com: https://github.com/discourse/discourse/releases/tag/v2026.1.5 github.com: https://github.com/discourse/discourse/releases/tag/v2026.4.2 github.com: https://github.com/discourse/discourse/releases/tag/v2026.5.1 github.com: https://github.com/discourse/discourse/releases/tag/v2026.6.0