Discourse XSS in welcome_banner.header.logged_in_members before 3.5.0.beta8
CVE-2025-54411 Published on August 19, 2025
Discourse welcome banner user name XSS
Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate
any users for the time being. This vulnerability is fixed in 3.5.0.beta8.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-54411 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2025-54411
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse Version < 3.5.0.beta8 is affected by CVE-2025-54411Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.