CVE-2025-67723

Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin

Description

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX.

INFO

Published Date :

2026-01-28T18:21:35.379Z

Last Modified :

2026-01-28T19:28:24.714Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-67723 vulnerability.

Vendors	Products
Discourse	Discourse

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67723.

URL	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact