Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, tighten access by changing the `ai_bot_public_sharing_allowed_groups` site setting.

INFO

Published Date :

2026-03-19T20:52:17.572Z

Last Modified :

2026-03-19T20:52:17.572Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27570 vulnerability.

Vendors Products
Discourse
  • Discourse
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27570.

URL Resource
https://github.com/discourse/discourse/commit/43a5a60b595f0120e6adfc131f2408508fe341f1 cve-icon cve-icon
https://github.com/discourse/discourse/commit/c14f8f52b7999328bd9f8665f2ecfa24dadc4bf1 cve-icon cve-icon
https://github.com/discourse/discourse/commit/f2aafa5c7467c94fcd4ebd36785a98e77ca088cc cve-icon cve-icon
https://github.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability