CVE-2025-46824 is a security vulnerability classified as CWE-79, which corresponds to Cross-site Scripting (XSS). This vulnerability affects the discourse-code-review plugin, a component used within the Discourse platform to facilitate GitHub commit reviews. Specifically, versions of the plugin prior to commit eed3a80 are vulnerable. The flaw arises due to improper neutralization of input during web page generation, allowing an attacker to inject malicious JavaScript code via specially crafted links to GitHub commits. When a user views these malicious links within the Discourse interface, the injected script executes in the context of the user's browser session. This can lead to the attacker performing actions such as session hijacking, cookie theft, or other client-side attacks. The vulnerability does not require user interaction beyond viewing the malicious content and requires low privileges to exploit, but the attack complexity is high due to the need to craft specific malicious commit links. The vulnerability has a CVSS v3.1 base score of 3.1, indicating a low severity primarily due to limited impact on confidentiality and no impact on integrity or availability. No known exploits are currently reported in the wild. The issue is patched in commit eed3a80 of the discourse-code-review plugin, and as a temporary mitigation, disabling the plugin is recommended.

For European organizations using Discourse with the discourse-code-review plugin, this vulnerability poses a risk primarily to the confidentiality of user data. If exploited, attackers could execute arbitrary JavaScript in users' browsers, potentially leading to session hijacking or theft of sensitive information such as authentication tokens or personal data. While the impact on system integrity and availability is negligible, the breach of confidentiality can undermine trust and compliance with data protection regulations such as GDPR. Since the plugin is often used in developer and collaboration communities, exploitation could lead to unauthorized access to internal discussions or code review processes, indirectly affecting organizational security posture. However, the low CVSS score and absence of known active exploits suggest the immediate risk is limited, but organizations should not disregard the vulnerability due to the potential for targeted attacks.

Organizations should promptly update the discourse-code-review plugin to the patched version including commit eed3a80 or later. If immediate patching is not feasible, disabling the discourse-code-review plugin entirely is advised to prevent exploitation. Additionally, administrators should review and sanitize any existing GitHub commit links posted within Discourse to ensure they do not contain malicious payloads. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Regular security audits and user awareness training on recognizing suspicious links can further reduce risk. Monitoring Discourse logs for unusual activity related to commit links and user sessions can help detect attempted exploitation. Finally, ensure that Discourse and all plugins are kept up to date as part of a robust patch management process.