CVE-2025-22602

Published Feb 4, 2025

Last updated a month ago

CVSS medium 6.5

Overview

Description
Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP.
Source
security-advisories@github.com
NVD status
Analyzed
Products
discourse

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security-advisories@github.com
CWE-79

Social media

Hype score
Not currently trending

  1. 🚨 #Breakingnews: "CVE-2025-22602" A new CVE detected - with severity "MEDIUM". More: https://t.co/jrxEYrU5Q0. 📢 Follow us for more updates! #CVE #ThreatAlert #InfoSec #CriticalVulnerability

    @bluepinksec

    5 Feb 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-22602 Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malic… https://t.co/uagsreDZ6B

    @CVEnew

    4 Feb 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.