BIT-discourse-2026-27570
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-27570.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-discourse-2026-27570
- Aliases
-
- CVE-2026-27570
- GHSA-hfxw-89hw-vwmv
- Published
- 2026-03-27T07:09:54.665Z
- Modified
- 2026-04-02T13:26:04.128186056Z
- Summary
- Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox
- Details
-
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, tighten access by changing the
ai_bot_public_sharing_allowed_groupssite setting. - Database specific
{ "cpes": [ "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*" ], "severity": "Medium" }- References
-
- https://github.com/discourse/discourse/commit/43a5a60b595f0120e6adfc131f2408508fe341f1
- https://github.com/discourse/discourse/commit/c14f8f52b7999328bd9f8665f2ecfa24dadc4bf1
- https://github.com/discourse/discourse/commit/f2aafa5c7467c94fcd4ebd36785a98e77ca088cc
- https://github.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv
- https://nvd.nist.gov/vuln/detail/CVE-2026-27570
Affected packages
Bitnami / discourse
Package
- Name
- discourse
- Purl
- pkg:bitnami/discourse
Severity
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator