{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27154", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-18T00:18:53.962Z", "datePublished": "2026-02-26T21:20:25.181Z", "dateUpdated": "2026-03-02T20:57:00.349Z"}, "containers": {"cna": {"title": "Discourse has XSS when editing a malicious post", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 1.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-xv43-5gcp-wgw8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-xv43-5gcp-wgw8"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "< 2025.12.2", "status": "affected"}, {"version": ">= 2026.1.0-latest, < 2026.1.1", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T21:20:25.181Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available."}], "source": {"advisory": "GHSA-xv43-5gcp-wgw8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T20:56:42.809375Z", "id": "CVE-2026-27154", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:57:00.349Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27154", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T20:56:42.809375Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:56:47.060Z"}}], "cna": {"title": "Discourse has XSS when editing a malicious post", "source": {"advisory": "GHSA-xv43-5gcp-wgw8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": "< 2025.12.2"}, {"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.1"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.0"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-xv43-5gcp-wgw8", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-xv43-5gcp-wgw8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T21:20:25.181Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27154", "state": "PUBLISHED", "dateUpdated": "2026-03-02T20:57:00.349Z", "dateReserved": "2026-02-18T00:18:53.962Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T21:20:25.181Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "452E5338-8153-4A3E-B634-CAE43E14B557", "versionEndExcluding": "2025.12.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CAFCC9D-53D7-4017-85A5-EE6CA5A6A11C", "versionEndExcluding": "2026.1.1", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*", "matchCriteriaId": "BB002FDC-BC71-4C46-8AAF-A34EC717E0E7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, el nombre completo de un usuario puede ser evaluado como HTML sin procesar cuando las siguientes configuraciones est\u00e1n establecidas: 'display_name_on_posts' =&gt; true; y 'prioritize_username_in_ux' =&gt; false. Editar una publicaci\u00f3n de un usuario malicioso activar\u00eda un XSS. Las versiones 2025.12.2, 2026.1.1 y 2026.2.0 parchean el problema. No hay soluciones alternativas conocidas disponibles."}], "id": "CVE-2026-27154", "lastModified": "2026-03-02T18:13:16.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T22:20:47.730", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-xv43-5gcp-wgw8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.12.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-04-17T14:15:20.520225+00:00", "value": {"mitigation_remediation": ["Upgrade Discourse to a patched release (2025.12.2, 2026.1.1, 2026.2.0, or the latest stable version).", "After upgrading, review or remove any user display names that contain unsanitized HTML to eliminate residual risk.", "Continuously monitor Discourse release notes and apply new security updates as they become available to maintain protection against future vulnerabilities."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Discourse, the open\u2011source discussion platform, is impacted in all releases older than 2025.12.2, 2026.1.1, and 2026.2.0. The defect manifests only when the settings `display_name_on_posts` is true and `prioritize_username_in_ux` is false, causing raw user names to be output as raw HTML. Any installation running a vulnerable version with these settings should be considered at risk.", "description_and_impact": "The vulnerability allows a malicious account to embed arbitrary HTML into its full name, which is rendered without sanitization when the user posts are viewed. When an editor modifies a post belonging to that account, the unsanitized HTML is injected into all browsers viewing the edited post, enabling attackers to steal session cookies, deface content, or execute additional client\u2011side scripts. This is a classic Cross\u2011Site Scripting flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS base score is 1.3, indicating a low severity, and the EPSS probability is below 1\u202f%, reflecting a very low chance of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. It is inferred that exploitation requires an authenticated user with permission to edit posts, and the effect is limited to browsers that render the malicious user name from posts edited by the attacker. Consequently, while the overall risk remains low, any publicly exposed Discourse instance with the problematic settings may still be exposed to XSS attacks."}}}}, "created": "2026-02-27T09:04:08.664996+00:00", "updated": "2026-04-17T14:15:21.830418+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}