Discourse PDF upload RCE before 2026.6.0/2026.5.1/2026.4.2/2026.1.5
CVE-2026-55420 Published on July 9, 2026
Discourse: Remote code execution via pdf uploads
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Vulnerability Analysis
CVE-2026-55420 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-55420 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-55420
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version >= 2026.5.0-latest, < 2026.5.1 is affected.
- Version >= 2026.4.0-latest, < 2026.4.2 is affected.
- Version >= 2026.1.0-latest, < 2026.1.5 is affected.