๐Ÿ” CVE Alert

CVE-2026-55424

UNKNOWN 0.0

Discourse: Topic featured link susceptible to stored XSS

CVSS Score
0.0
EPSS Score
0.5%
EPSS Percentile
37th

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CWE CWE-79
Vendor discourse
Product discourse
Published Jul 9, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new unknown vulnerabilities affecting discourse discourse are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

discourse / discourse
>= 2026.1.0-latest, < 2026.1.5 >= 2026.4.0-latest, < 2026.4.2 >= 2026.5.0-latest, < 2026.5.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/discourse/discourse/security/advisories/GHSA-695w-7fv8-mxg3 github.com: https://github.com/discourse/discourse/commit/1bce8881e4253d9bbab56f011a12ef899b926b59 github.com: https://github.com/discourse/discourse/commit/6679d9a5083488bae10c2adbb345c481c583242c github.com: https://github.com/discourse/discourse/commit/6828aee9b15c2655d63b515ac919830bd540ff83 github.com: https://github.com/discourse/discourse/commit/c9b9405f5bd0bf0269e505e28e3aad388d7657c5 github.com: https://github.com/discourse/discourse/releases/tag/v2026.1.5 github.com: https://github.com/discourse/discourse/releases/tag/v2026.4.2 github.com: https://github.com/discourse/discourse/releases/tag/v2026.5.1 github.com: https://github.com/discourse/discourse/releases/tag/v2026.6.0