Discourse: XSS on category description update via API_CVE-2026-32273

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Basic Information

ID CVE-2026-32273

Source GitHub_M

Published Mar 31, 2026 at 17:39

Modified Mar 31, 2026 at 18:52

Affected Product

Vendor discourse

Product discourse

Version >= 2026.1.0-latest, < 2026.1.3

Affected Versions discourse discourse >= 2026.1.0-latest, < 2026.1.3
discourse discourse >= 2026.2.0-latest, < 2026.2.2
discourse discourse >= 2026.3.0-latest, < 2026.3.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.",
    "published": "2026-03-31T17:39:48.771Z",
    "modified": "2026-03-31T18:52:31.983Z",
    "type": "cve",
    "title": "Discourse: XSS on category description update via API",
    "source": "GitHub_M",
    "references": "https://github.com/discourse/discourse/security/advisories/GHSA-h2h4-767x-6pc8\nhttps://github.com/discourse/discourse/commit/05e3da2a670cfd499649128b6c955b552451240b",
    "id": "CVE-2026-32273",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "discourse discourse >= 2026.1.0-latest, < 2026.1.3\ndiscourse discourse >= 2026.2.0-latest, < 2026.2.2\ndiscourse discourse >= 2026.3.0-latest, < 2026.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "discourse",
    "version": ">= 2026.1.0-latest, < 2026.1.3",
    "vendor": "discourse",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}