QwikSec

Security Database

CVE

CWE

Training

CVE-2026-27570

Published: Mar 19, 2026

Modified: Mar 24, 2026

PUBLISHED

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, tighten access by changing the `ai_bot_public_sharing_allowed_groups` site setting.

Vendor	Product	Versions
discourse	discourse	affected `>= 2026.1.0-latest, < 2026.1.2` affected `>= 2026.2.0-latest, < 2026.2.1` affected `= 2026.3.0-latest`

Weaknesses (CWE)

References

https://github.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/43a5a60b595f0120e6adfc131f2408508fe341f1

x_refsource_MISC

https://github.com/discourse/discourse/commit/c14f8f52b7999328bd9f8665f2ecfa24dadc4bf1

x_refsource_MISC

https://github.com/discourse/discourse/commit/f2aafa5c7467c94fcd4ebd36785a98e77ca088cc

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.