CVE-2025-48954
published 2025-06-25CVE-2025-48954: Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't…
PriorityP338medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
0.63%
45.6th percentile
Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| discourse | discourse | < 3.5.0.beta6 | 3.5.0.beta6 |
| discourse | discourse | < 3.5.0 | 3.5.0 |
| discourse | discourse | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
Discourse OAuth Social Login - Cross-site Scripting
nuclei·CVSS 6.1
CVE-2025-48954 [MEDIUM] Discourse OAuth Social Login - Cross-site Scripting
Discourse OAuth Social Login - Cross-site Scripting
Discourse versions prior to 3.5.0.beta6 contain a stored Cross-Site Scripting (XSS) vulnerability in the OAuth/social login functionality. The vulnerability is caused by lack of proper content security policy enforcement when processing social login failures,allowing remote attackers to inject and execute malicious scripts in users' browsers.
Template:
id: CVE-2025-48954
info:
name: Discourse OAuth Social Login - Cross-site Scripting
author: ferreiraklet,DhiyaneshDK,pdresearch
severity: high
description: |
Discourse versions prior to 3.5.0.beta6 contain a stored Cross-Site Scripting (XSS) vulnerability in the OAuth/social login functionality. The vulnerability is caused by lack of proper content security policy enforcement when proces
No writeups or analysis indexed.
2025-06-25
Published