{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33411", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.171Z", "datePublished": "2026-03-20T22:58:14.546Z", "dateUpdated": "2026-03-24T18:03:07.240Z"}, "containers": {"cna": {"title": "Discourse's solved topic stream has potential stored XSS in topic title", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:58:14.546Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks."}], "source": {"advisory": "GHSA-j3mm-ghh2-83x2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:02:39.477033Z", "id": "CVE-2026-33411", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:03:07.240Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33411", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:02:39.477033Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:02:58.208Z"}}], "cna": {"title": "Discourse's solved topic stream has potential stored XSS in topic title", "source": {"advisory": "GHSA-j3mm-ghh2-83x2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:58:14.546Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33411", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:03:07.240Z", "dateReserved": "2026-03-19T17:02:34.171Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T22:58:14.546Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks."}], "id": "CVE-2026-33411", "lastModified": "2026-03-24T21:11:01.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T23:16:47.660", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-24T22:52:09.257874+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched release (2026.3.0-latest.1, 2026.2.1, or 2026.1.2) or newer.", "If an upgrade cannot be performed immediately, ensure that a Content Security Policy is enabled and has not been altered to allow inline scripts or unsafe sources.", "Review topic title inputs to confirm they are properly sanitized before storage."], "summary": {"action": "Patch Immediately", "impact": "Stored XSS in topic titles"}, "threat_synthesis": {"affected_systems": "Discourse, the open\u2011source discussion platform, is affected. All instances running any version earlier than the following patched releases are vulnerable: 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Versions that include the patch sanitize the title rendering for the solved stream. The affected products are identified by the CPE strings that reference the core Discourse application.", "description_and_impact": "Discourse forums allow administrators to post topics. This vulnerability stems from insufficient sanitization of topic titles in the solved posts stream. As a result, an attacker could store malicious JavaScript in a title. When a user opens the solved stream, the injected script would execute in the victim\u2019s browser, giving the attacker control over the client context. Based on the description, it is inferred that such execution could lead to session hijacking or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates a moderate severity for this stored XSS flaw. The EPSS score of less than 1\u202f% suggests a low probability of exploitation in the near term. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Attackers would need the ability to create or edit a topic in the solved stream and rely on users visiting that page to trigger the embedded script. While the likelihood of exploitation is low, the impact on user data and trust warrants prompt remediation."}}}}, "created": "2026-03-23T09:51:57.648203+00:00", "updated": "2026-03-25T14:33:57.215456+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}