Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.3
Discourse allows malicious user names to execute code in posts
CVE-2026-27154
Summary
Discourse users before version 2025.12.2 may be at risk of malicious code execution. If you're using an affected version, update to 2025.12.2 or later to protect your site. If you can't update immediately, isolate your site from the public until you can.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.2 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_nam...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
nvd CVSS3.1
6.1
nvd CVSS4.0
1.3
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026