Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-48062

CVE-2025-48062: Discourse XSS Vulnerability via Email

CVE-2025-48062 is an XSS vulnerability in Discourse that allows HTML injection through email invites when topic titles contain HTML. This article covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-48062 Overview

CVE-2025-48062 is an HTML injection vulnerability in Discourse, the open-source discussion platform. The flaw allows HTML content within topic titles to be injected into invitation emails. It affects invitations sent via email to users without existing accounts, including private message (PM) invitations and topic invitations with custom messages. The issue is classified as Cross-Site Scripting (XSS) [CWE-79] and requires user interaction to exploit. Discourse patched the vulnerability in version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch.

Critical Impact

Attackers can inject arbitrary HTML into invitation emails sent by Discourse, enabling phishing and content spoofing against recipients who have not yet registered accounts.

Affected Products

  • Discourse stable branch prior to 3.4.4
  • Discourse beta branch prior to 3.5.0.beta5
  • Discourse tests-passed branch prior to 3.5.0.beta6-dev

Discovery Timeline

  • 2025-06-09 - CVE-2025-48062 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-48062

Vulnerability Analysis

The vulnerability resides in Discourse's email invitation workflow. When a user invites a non-registered recipient to a private message or a topic with a custom message, the topic title is inserted into the outgoing email template. Discourse fails to properly sanitize or HTML-encode the {topic_title} placeholder before rendering it into the email body. An attacker who controls a topic title can supply raw HTML markup that will render as part of the email delivered to the invitee.

The flaw is categorized under [CWE-79] as improper neutralization of input during web page generation. Because the injection targets the email client rather than the Discourse web application, the exploitation surface depends on the recipient's mail user agent and its handling of HTML content. Successful exploitation requires the recipient to open the malicious invitation email.

Root Cause

The root cause is the direct interpolation of the {topic_title} variable into HTML email templates without contextual output encoding. Discourse trusts topic titles as safe text and does not escape HTML metacharacters when constructing the invitation body.

Attack Vector

An attacker with permission to create topics or private messages crafts a title containing HTML tags such as anchor elements, images, or styled containers. The attacker then invites a target email address that is not associated with an existing account. Discourse generates and sends the invitation email, embedding the attacker-controlled HTML in the body. When the recipient opens the message, their email client renders the injected markup, which can be leveraged for phishing links, brand spoofing, or content masquerading as legitimate Discourse communication.

No verified proof-of-concept code is publicly available. Refer to the GitHub Security Advisory GHSA-x8mp-chx3-6x2p for authoritative technical details.

Detection Methods for CVE-2025-48062

Indicators of Compromise

  • Discourse topics or private messages with titles containing HTML tags such as <a>, <img>, <style>, or <script>.
  • Outbound invitation emails from Discourse containing rendered HTML markup within the topic title region of the message body.
  • User reports of invitation emails with unexpected links, images, or formatting purporting to originate from a trusted Discourse instance.

Detection Strategies

  • Audit the Discourse topics table for titles containing angle brackets or HTML entity sequences.
  • Inspect outbound SMTP traffic and mail server logs for invitation emails whose subject or body contains raw HTML fragments in the title field.
  • Correlate invitation events in Discourse admin logs with account creation activity to identify targeted invitation campaigns from low-reputation users.

Monitoring Recommendations

  • Enable and retain Discourse administrative and email delivery logs for post-incident review.
  • Monitor user-generated content for anomalous title syntax and flag titles containing HTML tokens for moderator review.
  • Track invitation volume per user account to detect abuse patterns consistent with mass phishing attempts.

How to Mitigate CVE-2025-48062

Immediate Actions Required

  • Upgrade Discourse to version 3.4.4 on the stable branch, 3.5.0.beta5 on the beta branch, or 3.5.0.beta6-dev on the tests-passed branch.
  • Review recently sent invitation emails and notify affected recipients if suspicious content was delivered.
  • Restrict topic creation and invitation permissions to trusted user trust levels where feasible.

Patch Information

Discourse released fixes in version 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed). The patch ensures the {topic_title} variable is HTML-encoded before insertion into invitation email templates. See the GitHub Security Advisory GHSA-x8mp-chx3-6x2p for the official advisory.

Workarounds

  • Override the affected invitation email templates in Discourse and remove the {topic_title} placeholder until the upgrade is applied.
  • Customize the invitation templates to render the topic title as plain text or omit it entirely.
  • Temporarily disable email invitations to non-registered users until the fix is deployed.
bash
# Example: Discourse upgrade command for Docker-based installs
cd /var/discourse
git pull
./launcher rebuild app

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.