Discourse <2026.3.0-Latest.1 XSS in Topic Titles for Solved Posts
CVE-2026-33411 Published on March 20, 2026
Discourse's solved topic stream has potential stored XSS in topic title
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.
Vulnerability Analysis
CVE-2026-33411 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-33411 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-33411
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version >= 2026.1.0-latest, < 2026.1.2 is affected.
- Version >= 2026.2.0-latest, < 2026.2.1 is affected.
- Version = 2026.3.0-latest is affected.