References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.

AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79

https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1

https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee

https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5

https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v