Unrated severityNVD Advisory· Published Aug 19, 2025· Updated Aug 19, 2025

Discourse welcome banner user name XSS

CVE-2025-54411

Description

Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate any users for the time being. This vulnerability is fixed in 3.5.0.beta8.

Affected products

Discourse (software)/Discoursev5
Range: < 3.5.0.beta8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/a3374d2850f07444d113216e1d539ee21650dbffmitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-5mm6-j5vq-6884mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000