8 matches found
CVE-2026-27166
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
CVE-2026-27166
CVE-2026-27166 (Discourse) : Vulnerability in the default Codepen iframe handling where insufficient cleanup allowed an attacker to cause a user to change the main page URL. Affected software: Discourse before versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Root cause: improper filtering/clea...
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...
BIT-DISCOURSE-2025-48877 Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowediframes site setting, and it can potentially auto-run arbitrary JS...
CVE-2025-48877 Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowediframes site setting, and it can potentially auto-run arbitrary JS...
CVE-2025-48877
Summary: CVE-2025-48877 affects Discourse. Before the patched releases, Codepen could be present in the default allowed_iframes site setting, potentially auto-running arbitrary JS in the iframe scope. Affected versions (as stated): Discourse < 3.4.4 (stable), < 3.5.0.beta5 (beta), and