CVE-2025-48877CRITICAL 9.8EPSS p26.5%

CVE-2025-48877CVE-2025-48877

Description

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.5% · 2026-06-19T12:03:05Z
Published2025-06-09
Last modified2025-09-25

Underlying weaknesses· 1

CWE-1038

References

  1. https://github.com/discourse/discourse/security/advisories/GHSA-cm93-6m2m-cjcv

1

TypeTargetConfidenceTier
WeaknessInsecure Automated Optimizationscwe-10380%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-23023
CVE
CVE-2025-53102
CVE
CVE-2026-33514
CVE
CVE-2026-31805
CVE
CVE-2026-32244
CVE
CVE-2026-34154
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.