CVE-2026-32243 MEDIUM

CVE-2026-32243: Discourse: Stored XSS in discourse-ai shared conversations onebox

Vendor Discourse
Product discourse
Weakness CWE-79 · XSS
Published March 31, 2026
Last update April 3, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted conversation titles. This payload would execute in the browser of any user viewing the onebox preview, potentially allowing session hijacking or unauthorized actions on behalf of the victim. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
April 3, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-13840 BUKAZU Search widget <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute CVE-2022-47437 WordPress WSB Brands Plugin <= 1.1.8 is vulnerable to Cross Site Scripting (XSS) CVE-2024-12045 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2021-34742 Cisco Vision Dynamic Signage Director Reflected Cross-Site Scripting Vulnerability CVE-2021-24955 ProfilePress < 3.2.3 - Reflected Cross-Site Scripting