CVE-2025-48062: Discourse vulnerable to HTML injection when inviting to topic via email
Description
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`.
Classification
CVE ID: CVE-2025-48062
CVSS Base Severity: HIGH
CVSS Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Problem Types
CWE-116: Improper Encoding or Escaping of Output CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected Products
Vendor: discourse
Product: discourse
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 9.02% (scored less or equal to compared to others)
EPSS Date: 2025-06-24 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-48062https://github.com/discourse/discourse/security/advisories/GHSA-x8mp-chx3-6x2p