CVE-2026-27740: Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a cros
Summary
Discourse, an open-source discussion platform, has a cross-site scripting vulnerability (XSS, where attackers inject malicious code that runs in a user's browser) in versions before 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability exists because the system trusts output directly from an AI language model and displays it without proper sanitization (cleaning) in the Review Queue interface, allowing attackers to use prompt injection (tricking the AI by hiding instructions in user input) to make the AI generate malicious code that executes when staff members review flagged posts.
Solution / Mitigation
Update to versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, which contain a patch. Alternatively, as a workaround, temporarily disable AI triage automation scripts.
Vulnerability Details
EPSS: 0.0%
March 19, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-27740
First tracked: March 19, 2026 at 06:07 PM
Classified by LLM (prompt v3) · confidence: 95%