CVE-2023-22468

Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

Published: Jan 26, 2023
Updated: Nov 16, 2025
CVE: CVE-2023-22468
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
discourse / discourse	-	2.8.13
discourse / discourse	2.9.0-beta1	2.9.0-beta1.x
discourse / discourse	2.9.0-beta10	2.9.0-beta10.x
discourse / discourse	2.9.0-beta11	2.9.0-beta11.x
discourse / discourse	2.9.0-beta12	2.9.0-beta12.x
discourse / discourse	2.9.0-beta13	2.9.0-beta13.x
discourse / discourse	2.9.0-beta14	2.9.0-beta14.x
discourse / discourse	2.9.0-beta2	2.9.0-beta2.x
discourse / discourse	2.9.0-beta3	2.9.0-beta3.x
discourse / discourse	2.9.0-beta4	2.9.0-beta4.x
discourse / discourse	2.9.0-beta5	2.9.0-beta5.x
discourse / discourse	2.9.0-beta6	2.9.0-beta6.x
discourse / discourse	2.9.0-beta7	2.9.0-beta7.x
discourse / discourse	2.9.0-beta8	2.9.0-beta8.x
discourse / discourse	2.9.0-beta9	2.9.0-beta9.x
discourse / discourse	3.0.0-beta15	3.0.0-beta15.x

https://github.com/discourse/discourse/security/advisories/GHSA-8mr2-xf8r-wr8m

Vulnerability Database

309,083

CVE-2023-22468

Deep Security Visibility Without the Complexity