Cyber Resilience

CVE-2025-48954

High

Published: 25 June 2025

Published
25 June 2025
Modified
25 September 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.1012 93.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48954 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Discourse Discourse. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Discourse, an open-source discussion platform, is affected by CVE-2025-48954, a cross-site scripting vulnerability (CWE-79) present in versions prior to 3.5.0.beta6. The flaw manifests specifically when the content security policy is disabled and social logins are in use, allowing attacker-controlled content to execute in users' browsers. The issue carries a CVSS 3.1 score of 8.1, reflecting network attack vector, low complexity, no required privileges, and required user interaction.

An unauthenticated attacker can exploit the vulnerability by crafting a malicious social-login flow that injects scripts into the Discourse instance. Successful exploitation grants the ability to read sensitive data and perform actions on behalf of the victim user, resulting in high impact to confidentiality and integrity without affecting availability.

The official advisory at https://github.com/discourse/discourse/security/advisories/GHSA-26p5-mjjh-wfcf states that version 3.5.0.beta6 contains the fix. As a workaround, administrators are advised to enable the content security policy until the update can be applied.

EPSS for the CVE reached a peak of 0.1558 after disclosure before settling at the current value of 0.1012, indicating emerging exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

discourse
discourse
3.5.0 · ≤ 3.5.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References