CVE-2025-46824
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
07/05/2025
Last modified:
20/08/2025
Description
The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin. As a workaround, one may disable the plugin.
Impact
Base Score 3.x
3.10
Severity 3.x
LOW
References to Advisories, Solutions, and Tools
- https://github.com/discourse/discourse-code-review/commit/eed3a801f8fee217fe782212d8950eb1bd236e43
- https://github.com/discourse/discourse-code-review/security/advisories/GHSA-358v-cwvc-gxh5
- https://www.vicarius.io/vsociety/posts/cve-2025-46824-detect-discourse-plugin-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-46824-mitigate-discourse-plugin-vulnerability