{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27166", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-18T00:18:53.962Z", "datePublished": "2026-03-19T20:29:22.570Z", "dateUpdated": "2026-03-19T20:29:22.570Z"}, "containers": {"cna": {"title": "Discourse vulnerable to HTML injection via prohibited iframe URLs", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2"}, {"name": "https://github.com/discourse/discourse/commit/c4762a4fac2f61f52f325396b11d3aeb955ea925", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/c4762a4fac2f61f52f325396b11d3aeb955ea925"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "< 2026.3.0-latest.1", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:29:22.570Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2. To workaround this issue, remove Codepen from the list of allowed iframes."}], "source": {"advisory": "GHSA-h653-cq78-vjj2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2. To workaround this issue, remove Codepen from the list of allowed iframes."}], "id": "CVE-2026-27166", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:08.740", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/c4762a4fac2f61f52f325396b11d3aeb955ea925"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.3.0-latest.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-19T21:21:34.463460+00:00", "value": {"mitigation_remediation": ["Update Discourse to 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2.", "If an update is not possible, remove Codepen from the list of allowed iframes to eliminate the vulnerable configuration."], "summary": {"action": "Apply Patch", "impact": "HTML Injection leads to URL redirection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open source discussion platform Discourse (discourse:discourse) in any release prior to version 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2. Versions released after those points contain the fix.", "description_and_impact": "Discourse is vulnerable because the default Codepen iframe configuration does not sanitize URLs. An attacker can supply malicious iframe content that, when rendered, tricks a user into navigating to an arbitrary URL. This results in cross\u2011site scripting style payloads where the victim is redirected to a site under the attacker\u2019s control, potentially facilitating phishing or credential leakage. The weakness is classified as CWE\u201180 (HTML Injection).", "risk_and_exploitability": "The CVSS score is 4.1, indicating moderate severity. EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Based on the description it is inferred that the attack vector requires a remote attacker to deliver malicious content to a user, typically through social engineering or compromised third\u2011party integrations. The exploit relies on the user viewing the affected iframe content, so successful exploitation depends on user interaction but is otherwise straightforward using the known Codepen configuration."}}}}, "created": "2026-03-20T08:56:16.362546+00:00", "updated": "2026-03-20T11:06:26.028970+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}