502 matches found
CVE-2026-32143
Discourse exposes a CSV export vulnerability (CVE-2026-32143) where moderators could export data from admin-restricted reports, bypassing visibility controls. Affected versions include 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0. ...
Discourse 信息泄露漏洞
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an information disclosure vulnerability that stems from the possibility of inferring the identity of a channel...
Discourse 信息泄露漏洞
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an information disclosure vulnerability that can be exploited by attackers to cause moderators to obtain informati...
PT-2026-29308
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did not have read acce...
Discourse 跨站脚本漏洞
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from a cross-site scripting vulnerability that can be exploited by an attacker to inject arbitrary HTML and JavaScript...
PT-2026-29305
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted...
BIT-DISCOURSE-2026-33427 Discourse Authorization Page Displays Unvalidated Redirect Domain
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026.3.0,...
BIT-DISCOURSE-2026-33394 Discourse leaks PM post edits to moderators
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, the Post Edits admin report /admin/reports/postedits leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Version...
BIT-DISCOURSE-2026-32114 Discourse's unscoped status lookups leak restricted metadata
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, there is an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access metadata about AI personas, features, and LLM models by providing their identifiers. Th...
BIT-DISCOURSE-2026-27935 Discourse leaks private topic metadata to non-authorized users
Discourse is an open-source discussion platform. Versions prior to 2026.3.0, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0,...
CVE-2026-33423
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available...
CVE-2026-30891
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization checks in the user actions endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a pat...
CVE-2026-30889
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain...
CVE-2026-27936
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2...
CVE-2026-27491
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the...
CVE-2026-33393
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the allowedspamhostdomains check used Stringendwith? without domain boundary validation, allowing domains like attacker-example.com to bypass spam protection when example.com was...
CVE-2026-33428
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions...
Discourse Information Disclosure Vulnerability (CNVD-2026-17479)
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an information disclosure vulnerability that stems from insufficient authorization checks on user-operated...
CVE-2026-33427
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions...
CVE-2026-33426
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026.3.0-latest.1,...