CVE-2026-27570
Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox
EPSS 0.02%
Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, tighten access by changing the `ai_bot_public_sharing_allowed_groups` site setting.
How to fix CVE-2026-27570
To remediate CVE-2026-27570, upgrade the affected package to a fixed version below.
- Bitnami/discourse—upgrade to 2026.1.2 or later
Is CVE-2026-27570 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
References (5)
- WEBgithub.com/discourse/discourse/commit/43a5a60b595f0120e6adfc131f2408508fe341f1
- WEBgithub.com/discourse/discourse/commit/c14f8f52b7999328bd9f8665f2ecfa24dadc4bf1
- WEBgithub.com/discourse/discourse/commit/f2aafa5c7467c94fcd4ebd36785a98e77ca088cc
- WEBgithub.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv