CVE-2025-46824 LOW

CVE-2025-46824: Discourse Code Review Plugin vulnerable to XSS via auto link commits

Vendor Discourse
Product discourse-code-review
Weakness CWE-79 · XSS
Published May 7, 2025
Last update August 20, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin. As a workaround, one may disable the plugin.

Key dates

02Disclosure timeline

May 7, 2025 CVE published
August 20, 2025 Record updated