Vulnerability Database

309,103

Total vulnerabilities in the database

CVE-2021-32764

Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior, parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. The issue is patched in stable version 2.7.6, beta version 2.8.0.beta3, and tests-passed version 2.8.0.beta3. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Published: Jul 15, 2021
Updated: Nov 16, 2025
CVE: CVE-2021-32764
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
discourse / discourse	-	2.7.5.x
discourse / discourse	2.8.0-beta1	2.8.0-beta1.x

https://github.com/discourse/discourse/security/advisories/GHSA-9x4c-29xg-56hw

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo