CVE-2025-46824

3.1 LOW

Published: May 07, 2025 Modified: April 15, 2026

Description

The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin. As a workaround, one may disable the plugin.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/discourse/discourse-code-review/commit/eed3a801f8fee217fe782212d8950eb1bd236e43

Source: security-advisories@github.com

https://github.com/discourse/discourse-code-review/security/advisories/GHSA-358v-cwvc-gxh5

Source: security-advisories@github.com

https://www.vicarius.io/vsociety/posts/cve-2025-46824-detect-discourse-plugin-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.vicarius.io/vsociety/posts/cve-2025-46824-mitigate-discourse-plugin-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

3.1 / 10.0

EPSS (Exploit Probability)

0.2%

36th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-79

Related CVEs

CVE-2026-6704 6.1

CVE-2026-6702 6.1

CVE-2026-6701 4.3

CVE-2026-6700 4.3

CVE-2026-6696 6.1