CVE-2025-48062
Discourse vulnerable to HTML injection when inviting to topic via email
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Discourse vulnerable to HTML injection when inviting to topic via email
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`.
Reserved 2025-05-15 | Published 2025-06-09 | Updated 2025-06-09 | Assigner GitHub_MCWE-116: Improper Encoding or Escaping of Output
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
github.com/...course/security/advisories/GHSA-x8mp-chx3-6x2p
Support options
