CVE-2025-46824
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin. As a workaround, one may disable the plugin.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse-code-review | < eed3a80 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://www.vicarius.io/vsociety/posts/cve-2025-46824-detect-discourse-plugin-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-46824-mitigate-discourse-plugin-vulnerability
References
- https://github.com/discourse/discourse-code-review/security/advisories/GHSA-358v-cwvc-gxh5
- https://github.com/discourse/discourse-code-review/commit/eed3a801f8fee217fe782212d8950eb1bd236e43
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.