Discourse X before 2026.6.0 XSS via unescaped featured link
CVE-2026-55424 Published on July 9, 2026

Discourse: Topic featured link susceptible to stored XSS
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-55424 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2026-55424

Want to know whenever a new CVE is published for Discourse? stack.watch will email you.

 

Affected Versions

discourse: