CVE-2025-66488

🗓️ 28 Jan 2026 18:15:52Reported by GitHub_MType

Discourse allows script execution in HTML/XML uploads on S3; fixed in later versions; restrict uploads.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2025-66488	28 Jan 202618:15	–	attackerkb
CNNVD	Discourse security vulnerabilities	28 Jan 202600:00	–	cnnvd
Cvelist	CVE-2025-66488 Discourse allows script execution in uploaded HTML/XML files on S3	28 Jan 202618:15	–	cvelist
EUVD	EUVD-2025-206449	28 Jan 202618:15	–	euvd
NVD	CVE-2025-66488	28 Jan 202619:16	–	nvd
OSV	BIT-DISCOURSE-2025-66488 Discourse allows script execution in uploaded HTML/XML files on S3	2 Feb 202608:42	–	osv
OSV	CVE-2025-66488 Discourse allows script execution in uploaded HTML/XML files on S3	28 Jan 202618:15	–	osv
Positive Technologies	PT-2026-5176	28 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2025-66488	29 Jan 202621:21	–	redhatcve
Vulnrichment	CVE-2025-66488 Discourse allows script execution in uploaded HTML/XML files on S3	28 Jan 202618:15	–	vulnrichment

NVD

Vulners

Node

discourse discourseRange<3.5.4stable

discourse discourseRange2025.11.0–2025.11.2stable

discourse discourseMatch2025.12.0stable

discourse discourseMatch2026.1.0stable

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "< 3.5.4",
        "status": "affected"
      },
      {
        "version": ">= 2025.11.0-latest, < 2025.11.2",
        "status": "affected"
      },
      {
        "version": ">= 2025.12.0-latest, < 2025.12.1",
        "status": "affected"
      },
      {
        "version": ">= 2026.1.0-latest, < 2026.1.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx

30 Jan 2026 20:31Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.14.6 - 6.1

EPSS0.00019

SSVC

CWE-116