{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33395", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.169Z", "datePublished": "2026-03-19T22:33:19.328Z", "dateUpdated": "2026-03-19T22:33:19.328Z"}, "containers": {"cna": {"title": "Discourse has stored click\u2011based XSS via Graphviz SVG javascript: links", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v"}, {"name": "https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1"}, {"name": "https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee"}, {"name": "https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:33:19.328Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy."}], "source": {"advisory": "GHSA-23c7-gq89-xm5v", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy."}], "id": "CVE-2026-33395", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:44.710", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-19T23:21:17.975103+00:00", "value": {"mitigation_remediation": ["Upgrade to Discourse 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2", "Disable the discourse\u2011graphviz plugin if upgrade is not possible", "Enable a content security policy to prevent inline JavaScript execution"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) that allows arbitrary JavaScript execution"}, "threat_synthesis": {"affected_systems": "This issue affects Discourse installations using the discourse\u2011graphviz plugin on versions prior to 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2. The vulnerability is only exploitable when a content\u2011security\u2011policy is disabled; instances that enforce CSP are unaffected. The affected product is the open\u2011source Discourse discussion platform.", "description_and_impact": "The disclosed vulnerability in the discourse\u2011graphviz plugin allows authenticated users to embed malicious JavaScript through DOT graph definitions in stored data. This stored cross\u2011site scripting flaw (CWE\u201179) can lead to arbitrary script execution on browsers viewing the affected graph, potentially compromising session integrity and enabling phishing or credential theft.", "risk_and_exploitability": "The CVSS score of 4.4 indicates moderate severity, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not a known exploited vulnerability at this time. Exploitation requires an authenticated user to submit a malicious DOT graph and the target instance must have CSP disabled, so the risk is limited to authenticated attackers with access to graph creation. Without CSP enabled, the attacker can execute JavaScript in the victim\u2019s browser."}}}}, "created": "2026-03-20T08:54:44.595148+00:00", "updated": "2026-03-20T10:44:12.500677+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}