CVE-2026-27166
Discourse vulnerable to HTML injection via prohibited iframe URLs
5.4
MEDIUM
CVSS 3.1
EPSS 0.06%
Description
Discourse is an open source discussion platform. Prior to versions 2026.3.0, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0, 2026.2.1 and 2026.1.2. To workaround this issue, remove Codepen from the list of allowed iframes.
How to fix CVE-2026-27166
To remediate CVE-2026-27166, upgrade the affected package to a fixed version below.
- —upgrade to 2026.1.2 or later
Is CVE-2026-27166 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |