CVE-2026-33411 Overview
CVE-2026-33411 is a stored Cross-Site Scripting (XSS) vulnerability affecting Discourse, the popular open-source discussion platform. The vulnerability exists in the topic titles within the solved posts stream feature, allowing attackers with low privileges to inject malicious scripts that execute in victims' browsers when viewing affected content.
Critical Impact
Attackers can inject persistent malicious scripts into topic titles that execute in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of victims.
Affected Products
- Discourse versions prior to 2026.3.0-latest.1 (latest branch)
- Discourse versions prior to 2026.2.1 (stable branch)
- Discourse versions prior to 2026.1.2 (beta branch)
Discovery Timeline
- 2026-03-20 - CVE-2026-33411 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33411
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) resides in Discourse's handling of topic titles specifically when rendered within the solved posts stream. The vulnerability requires an authenticated user with low privileges to exploit, but the malicious payload persists in the application and executes whenever other users view the affected content.
The attack requires user interaction—victims must navigate to a page displaying the malicious topic title in the solved posts stream. When successful, the injected script executes within the victim's browser session, operating under the same origin as the Discourse application. This allows attackers to potentially access session tokens, perform actions on behalf of authenticated users, or redirect users to malicious sites.
The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component's security authority, impacting the confidentiality and integrity of the broader application context.
Root Cause
The root cause is insufficient input sanitization and output encoding of user-supplied content in topic titles when rendered in the solved posts stream. The application fails to properly escape or neutralize special characters and HTML/JavaScript content before inserting user-controlled data into the rendered page, allowing script injection.
Attack Vector
The attack vector is network-based, requiring an authenticated attacker to create or modify a topic title with embedded malicious script content. The payload persists in the Discourse database and executes when other authenticated users view the solved posts stream containing the malicious topic title.
The attacker crafts a topic title containing JavaScript code that bypasses the application's sanitization mechanisms. When the topic appears in the solved posts stream, the malicious script executes in the context of viewing users' browsers. The attack does not require special timing or additional conditions beyond user interaction—simply viewing the affected page triggers execution.
For detailed technical information about this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33411
Indicators of Compromise
- Unusual JavaScript code or HTML tags appearing in topic titles within the database
- User reports of unexpected browser behavior when viewing the solved posts stream
- Anomalous HTTP requests originating from users' browsers to external domains after viewing Discourse pages
Detection Strategies
- Monitor web application logs for topic creation or modification events containing suspicious script-like content
- Implement Content Security Policy violation reporting to detect blocked XSS execution attempts
- Deploy web application firewall rules to detect and block XSS payloads in topic title parameters
Monitoring Recommendations
- Enable and review CSP violation reports for attempted script injections
- Audit topic titles for suspicious HTML entities, script tags, or event handlers
- Monitor user sessions for unusual activity patterns that may indicate session compromise from XSS attacks
How to Mitigate CVE-2026-33411
Immediate Actions Required
- Upgrade Discourse to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 depending on your deployment branch
- Verify that Content Security Policy (CSP) is enabled and has not been weakened
- Audit existing topic titles in the solved posts stream for potentially malicious content
Patch Information
Discourse has released patched versions that address this stored XSS vulnerability. Organizations should upgrade to the following versions:
- Latest branch:2026.3.0-latest.1 or later
- Stable branch:2026.2.1 or later
- Beta branch:2026.1.2 or later
Refer to the GitHub Security Advisory for complete patch details and upgrade instructions.
Workarounds
- Ensure Content Security Policy is enabled and properly configured to restrict script execution
- Avoid modifying CSP settings in ways that would increase XSS vulnerability
- Consider temporarily disabling the solved posts feature if immediate patching is not possible
# Verify CSP is enabled in Discourse settings
cd /var/discourse
./launcher enter app
rails c
# Check CSP status
SiteSetting.content_security_policy
# Should return true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
