XSS in Discourse

CVE-2026-32607

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabl…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (14.2th percentile) — read the EPSS interpretation.

Affected products

Discourse — versions >= 2026.1.0-latest, < 2026.1.3, >= 2026.2.0-latest, < 2026.2.2, >= 2026.3.0-latest, < 2026.3.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/discourse/discourse/security/advisories/GHSA-xg68-q7ff-6gqm (x_refsource_CONFIRM)
https://github.com/discourse/discourse/commit/46edb174e237c6e57bda9c494160da0a174fe70d (x_refsource_MISC)