In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-27154 was detected. This vulnerability allows attackers to execute XSS by having a user full name evaluated as raw HTML when display_name_on_posts is set to true and prioritize_username_in_ux is set to false. Editing a post of a malicious user would trigger the XSS. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27154.
Discourse: XSS Vulnerability via User Full Name Rendering
by the Hossted team
03.03.2026
03.03.2026