Nixpkgs security tracker
Discourse has XSS when editing a malicious post
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
References
-
https://github.com/discourse/discourse/security/advisories/GHSA-xv43-5gcp-wgw8 x_refsource_CONFIRM
Affected products
- ==>= 2026.1.0-latest, < 2026.1.1
- ==< 2025.12.2
- ==>= 2026.2.0-latest, < 2026.2.0
Matching in nixpkgs
pkgs.discourse
Discourse is an open source discussion platform
pkgs.discourseAllPlugins
Discourse is an open source discussion platform
pkgs.discourse-mail-receiver
Helper program which receives incoming mail for Discourse
pkgs.python312Packages.pydiscourse
Python library for working with Discourse
pkgs.python313Packages.pydiscourse
Python library for working with Discourse
pkgs.python314Packages.pydiscourse
Python library for working with Discourse
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
-
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>