CVE-2025-48062 is a high-severity vulnerability affecting Discourse, an open-source discussion platform widely used for online community forums and collaboration. The vulnerability stems from improper encoding or escaping of output (CWE-116) leading to HTML injection (CWE-79) in email invitations sent by Discourse. Specifically, when inviting users without accounts to private messages (PMs) or topics with a custom message, if the topic title contains HTML code, this HTML is not properly sanitized before being included in the email body. This flaw exists in Discourse versions prior to 3.4.4 on the stable branch, prior to 3.5.0.beta5 on the beta branch, and prior to 3.5.0.beta6-dev on the tests-passed branch. The vulnerability allows an attacker with at least limited privileges (PR:L) to craft topic titles containing malicious HTML that will be injected into invitation emails sent to recipients. The CVSS 3.1 score is 7.1 (high), reflecting that the attack vector is network-based (AV:N), requires low complexity (AC:L), privileges (PR:L), no user interaction (UI:N), and impacts confidentiality highly (C:H) with limited integrity impact (I:L) and no availability impact (A:N). The vulnerability can be mitigated by upgrading to the patched versions or by overriding the relevant email templates to exclude the {topic_title} variable. No known exploits are currently reported in the wild. This vulnerability is significant because email clients rendering injected HTML could execute malicious scripts or phishing content, potentially compromising recipients' confidentiality or leading to further attacks such as credential theft or session hijacking.

For European organizations using Discourse to manage community forums, customer support, or internal collaboration, this vulnerability poses a risk to confidentiality and trust. Attackers could exploit this flaw to inject malicious HTML into invitation emails, potentially leading to phishing attacks, credential harvesting, or malware delivery when recipients open the emails. Since the vulnerability requires only low privileges and no user interaction, it could be exploited by insiders or external attackers who can create topics with malicious titles. The impact is particularly critical for organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, or government agencies, where leakage of confidential information or compromise of user credentials could have severe legal and reputational consequences under GDPR and other regulations. Additionally, the vulnerability could be leveraged to target high-profile individuals or groups within organizations, increasing the risk of spear-phishing campaigns. The lack of availability impact means service disruption is unlikely, but the confidentiality breach risk remains significant.

European organizations should prioritize upgrading Discourse installations to version 3.4.4 or later on the stable branch, or the corresponding patched beta or tests-passed versions. Until upgrades can be applied, administrators should override the email invitation templates to remove the {topic_title} variable, preventing injection of malicious HTML in emails. Organizations should also audit topic titles for suspicious or unexpected HTML content and restrict topic creation privileges to trusted users to reduce the risk of exploitation. Implementing email security controls such as DMARC, DKIM, and SPF can help reduce the risk of phishing emails reaching end users. End users should be trained to recognize suspicious invitation emails and avoid clicking on unexpected links. Monitoring email logs for unusual invitation activity and scanning outgoing emails for malicious content can provide early detection of exploitation attempts. Finally, organizations should maintain an incident response plan to quickly address any suspected compromise resulting from this vulnerability.