CVE-2025-54411 LOW

CVE-2025-54411: Discourse welcome banner user name XSS

Vendor Discourse
Product discourse
Weakness CWE-79 · XSS
Published August 19, 2025
Last update August 19, 2025

CVSS base score

2.4/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate any users for the time being. This vulnerability is fixed in 3.5.0.beta8.

Key dates

02Disclosure timeline

August 19, 2025 CVE published
August 19, 2025 Record updated