CVE-2026-55424 in Discourseinfo

Summary

by MITRE • 07/10/2026

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability affects Discourse, an open-source discussion platform where users can set featured links for topics in the topic list display. The flaw stems from inadequate input sanitization and output escaping of featured link URLs before rendering them in the user interface. Prior to the patched versions, when a malicious user with permission to set featured links configured a link containing JavaScript code, this code could be executed in the browser of other users viewing the topic list. This represents a cross-site scripting vulnerability that leverages the platform's own feature as an attack vector.

The technical implementation of this flaw involves insufficient sanitization of user-provided content within the featured link functionality. When users set featured links, their input should undergo proper HTML escaping and URL normalization to prevent script execution. The vulnerability becomes particularly dangerous when default Content Security Policy protections are modified or disabled by administrators, as this removes additional layers of defense that would typically block malicious scripts. Without these protective measures, attackers can craft malicious URLs containing JavaScript payload that executes in the context of other users' browsers.

The operational impact of this vulnerability is significant as it allows for arbitrary code execution within user sessions, potentially leading to session hijacking, data exfiltration, or further exploitation. Attackers could inject scripts that steal cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. The vulnerability affects all users who can set featured links, which typically includes moderators and administrators, making it particularly dangerous in environments where these roles are shared with less trusted users.

Security mitigations include updating to the patched versions 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5, which implement proper input sanitization and output escaping for featured links. Administrators should also ensure that default Content Security Policy headers remain enabled and not modified in ways that could weaken security protections. Additionally, implementing proper access controls to limit who can set featured links provides defense-in-depth. This vulnerability aligns with CWE-79 Cross-Site Scripting and follows ATT&CK technique T1566 Credential Access through session hijacking. Organizations should also consider monitoring for suspicious link patterns in topic features and implementing web application firewalls as additional protective measures. The fix demonstrates proper secure coding practices emphasizing input validation and output escaping as fundamental defenses against injection attacks.

This vulnerability type represents a classic example of insufficient input sanitization that can be exploited when platform features are designed to accept user-provided content without adequate security controls. The risk is amplified by the fact that many organizations may disable default CSP protections for legitimate reasons, inadvertently exposing themselves to this attack vector. The patch addresses the root cause by implementing proper HTML escaping and URL normalization before rendering featured links, ensuring that any malicious JavaScript embedded in URLs is neutralized through proper output encoding techniques.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!