PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55424 discourse CVE debrief

CVE-2026-55424 is a high-severity vulnerability in Discourse, a popular open-source discussion platform. The vulnerability allows a user with permission to set a featured link to inject JavaScript when default Content Security Policy protections are modified or disabled. This issue was fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. The vulnerability exists in the topic list feature of Discourse, where a 'featured link' was not sufficiently normalized and escaped before being rendered. This allows a user with permission to set a featured link to inject JavaScript, potentially leading to cross-site scripting (XSS) attacks when Content Security Policy protections are modified or disabled. Users of Discourse, especially those who can set featured links, should be aware of this vulnerability and update to a patched version as soon as possible.

Vendor
discourse
Product
Unknown
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Discourse, especially those who can set featured links, should be aware of this vulnerability and update to a patched version as soon as possible. This includes administrators and users with permission to set featured links, as well as security teams and vulnerability management teams responsible for ensuring the security of Discourse instances.

Technical summary

The vulnerability exists in the topic list feature of Discourse, where a 'featured link' was not sufficiently normalized and escaped before being rendered. This allows a user with permission to set a featured link to inject JavaScript, potentially leading to cross-site scripting (XSS) attacks when Content Security Policy protections are modified or disabled. The vulnerability was fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. Users should review and adjust Content Security Policy protections and monitor for suspicious activity on their Discourse instance.

Defensive priority

High

Recommended defensive actions

  • Update Discourse to version 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5
  • Review and adjust Content Security Policy protections
  • Monitor for suspicious activity on your Discourse instance
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-09T22:17:06.097Z and last modified on 2026-07-10T16:16:33.177Z. The NVD entry is currently Undergoing Analysis. This information is based on the provided source corpus and may not reflect the current status of the vulnerability. Users should verify the information with the official CVE record and NVD entry for the most up-to-date details. The vulnerability affects Discourse, a popular open-source discussion platform, and allows a user with permission to set a featured link to inject JavaScript when default Content Security Policy protections are modified or disabled.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:06.097Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.