CVE-2026-27154 - Discourse has XSS when editing a malicious post

CVE ID : CVE-2026-27154 Published : Feb. 26, 2026, 9:20 p.m. | 45 minutes ago Description : Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a malicious user would trigger an XSS. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...