BIT-DISCOURSE-2026-32243 Discourse: Stored XSS in discourse-ai shared conversations onebox

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted conversation titles. This payload would execute in the...

CVE-2026-27570

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 conta...

CVE-2026-25083

GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages...

Discourse cross-site scripting vulnerability (CNVD-2026-17264)

Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from a cross-site scripting vulnerability that stems from the onebox method in the SharedAiConversation model rendering...

CVE-2026-27570

Discourse is vulnerable to stored XSS via the SharedAiConversation onebox. In affected versions before 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox renders the conversation title into HTML without proper sanitization. A patch exists in 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The recom...

EUVD-2026-13192

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 conta...

Weseek Growi 安全漏洞

Weseek Growi is an open-source wiki system developed by the Japanese company Weseek, which can be written in Markdown format. Versions of Weseek Growi prior to v7.4.5 contained security vulnerabilities. These vulnerabilities stemmed from the OpenAI thread/message API endpoints not performing...