Lucene search
+L

2962 matches found

Nuclei
Nuclei
added 20 hours ago43 views

Discourse OAuth Social Login - Cross-site Scripting

Discourse versions prior to 3.5.0.beta6 contain a stored Cross-Site Scripting XSS vulnerability in the OAuth/social login functionality. The vulnerability is caused by lack of proper content security policy enforcement when processing social login failures,allowing remote attackers to inject and...

8.1CVSS5.4AI score0.0063EPSS
Exploits0References2
Nuclei
Nuclei
added 20 hours ago88 views

Discourse Backup File Disclosure Via Default Nginx Configuration

Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use FileStore--LocalStore which means uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, the attacker can trick...

7.5CVSS7.3AI score0.25431EPSS
Exploits0References2
NVD
NVD
added 2026/07/09 10:17 p.m.8 views

CVE-2026-59828

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSerializer. This issue is fixed in versions 2026.6.0,...

5.3CVSS0.00314EPSS
Exploits0References9
NVD
NVD
added 2026/07/09 10:17 p.m.8 views

CVE-2026-55424

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content...

7.4CVSS0.0027EPSS
Exploits0References9
NVD
NVD
added 2026/07/09 10:17 p.m.9 views

CVE-2026-53962

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue ...

5.4CVSS0.0027EPSS
Exploits0References9
NVD
NVD
added 2026/07/09 10:17 p.m.9 views

CVE-2026-53961

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish...

6.5CVSS0.00221EPSS
Exploits0References9
NVD
NVD
added 2026/07/09 10:17 p.m.8 views

CVE-2026-46413

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5...

6.5CVSS0.00366EPSS
Exploits0References9
NVD
NVD
added 2026/07/09 10:17 p.m.8 views

CVE-2026-49256

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowedtags, allowedtaggroups, or required tag groups could leak to anonymous and unauthorized users through categor...

7.5CVSS0.00373EPSS
Exploits0References5
NVD
NVD
added 2026/07/09 10:17 p.m.8 views

CVE-2026-53963

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

9CVSS0.00451EPSS
Exploits0References9
NVD
NVD
added 2026/07/09 10:17 p.m.9 views

CVE-2026-44787

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primarygroupid and gain whisper-group privileges without legitimate group membership on sites with whispersallowedgroups configured. This...

8.2CVSS0.00267EPSS
Exploits0References9
NVD
NVD
added 2026/07/09 10:17 p.m.6 views

CVE-2026-45780

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This...

5.3CVSS0.00364EPSS
Exploits0References9
NVD
NVD
added 2026/07/09 10:17 p.m.12 views

CVE-2026-45788

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pullhotlinkedimages when an attacker knew the secured upload URL and the secureuploads site setting was enabled. This issue is fixed in versions 2026.6.0,...

7.5CVSS0.00465EPSS
Exploits0References9
CVE
CVE
added 2026/07/09 10:8 p.m.14 views

CVE-2026-45780

CVE-2026-45780 affects Discourse prior to versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. The issue arises in EventSerializer, which could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event ...

5.3CVSS5.9AI score0.00364EPSS
Exploits0References9Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/09 10:8 p.m.8 views

CVE-2026-45780

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This...

5.3CVSS5.9AI score0.00364EPSS
Exploits0References10Affected Software1
OSV
OSV
added 2026/07/09 10:8 p.m.4 views

CVE-2026-45780 Discourse: Private event sample invitees are serialized to non-invited event viewers

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This...

5.3CVSS6.1AI score0.00364EPSS
Exploits0References11
CVE
CVE
added 2026/07/09 10:5 p.m.8 views

CVE-2026-53963

CVE-2026-53963 (Discourse) describes a stored XSS in the delete confirmation dialog for a malicious second-factor name on an attacker-controlled account. Affected software is Discourse (open-source discussion platform); vulnerable versions are prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. ...

9CVSS5.8AI score0.00451EPSS
Exploits0References9Affected Software1
Cvelist
Cvelist
added 2026/07/09 10:5 p.m.35 views

CVE-2026-53963 Discourse: Stored-XSS in 2FA delete confirmation modal

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

7.3CVSS0.00451EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/07/09 10:5 p.m.6 views

CVE-2026-53963

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

7.3CVSS5.8AI score0.00451EPSS
Exploits0References10Affected Software1
OSV
OSV
added 2026/07/09 10:5 p.m.4 views

CVE-2026-53963 Discourse: Stored-XSS in 2FA delete confirmation modal

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

7.3CVSS6.1AI score0.00451EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/07/09 10:4 p.m.7 views

CVE-2026-59828

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSerializer. This issue is fixed in versions 2026.6.0,...

5.3CVSS5.9AI score0.00314EPSS
Exploits0References10Affected Software1
Rows per page
Query Builder