Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Jan 28, 2026

Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin

CVE-2025-67723

Description

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX.

Affected products

Discourse (software)/DiscourseOSV
Range: beta, latest-release, release, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000