Security Advisory

CVE-2026-27166

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-19 20:29:22

Last updated 2026-03-21 03:31:58

Assigner GitHub_M

State PUBLISHED

Description

Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2. To workaround this issue, remove Codepen from the list of allowed iframes.

← Browse all CVEs View on cve.org ↗