Discourse PDF upload RCE before 2026.6.0/2026.5.1/2026.4.2/2026.1.5
CVE-2026-55420 Published on July 9, 2026

Discourse: Remote code execution via pdf uploads
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

NVD

Vulnerability Analysis

CVE-2026-55420 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2026-55420 has been classified to as a Shell injection vulnerability or weakness.


Products Associated with CVE-2026-55420

Want to know whenever a new CVE is published for Discourse? stack.watch will email you.

 

Affected Versions

discourse: