Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT graph definitions. For instances with CSP disabled only. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the graphviz plugin, upgrade to a patched version, or enable a content security policy.

INFO

Published Date :

2026-03-19T22:33:19.328Z

Last Modified :

2026-03-20T16:40:49.907Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33395 vulnerability.

Vendors Products
Discourse
  • Discourse
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33395.

URL Resource
https://github.com/discourse/discourse/commit/0471e68ed0b594bf386e068f228849244b880ef1 cve-icon cve-icon
https://github.com/discourse/discourse/commit/0c861df8bea03dcc01b60da6cc7038e6c88de4ee cve-icon cve-icon
https://github.com/discourse/discourse/commit/472f9e1f7855307e489e9eaa6825d5335dfc08b5 cve-icon cve-icon
https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact