254 matches found
CVE-2026-32620
Summary: CVE-2026-32620 affects Discourse. From 2026.1.0-latest up to before 2026.1.3, 2026.2.0-latest up to before 2026.2.2, and 2026.3.0-latest up to before 2026.3.0, non-staff users could access read receipt metadata for staff-only posts they were not supposed to see. No post content was expos...
EUVD-2026-17559
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content w...
EUVD-2026-17552
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritizefullnameinux site setting is enabled defaults to false, requires console access to change, user...
CVE-2026-32243 Discourse: Stored XSS in discourse-ai shared conversations onebox
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted...
CVE-2026-32113 Discourse: Open redirect via `sso_destination_url` cookie in `enter`
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the ssodestinationurl cookie and redirects to it with allowotherhost: true...
CVE-2026-32143 Discourse: Admin-only report can be exported by moderators
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could...
Discourse 代码问题漏洞
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from a code issue vulnerability that can be exploited by an attacker to cause the server to initiate outbound connectio...
Discourse 信息泄露漏洞
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an information disclosure vulnerability that stems from non-employee users having access to read receipt informati...
BIT-DISCOURSE-2026-33428 Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions 2026.3.0,...
BIT-DISCOURSE-2026-31869 Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, the ComposerControllermentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowednames referencing a hidden-membership group and...
BIT-DISCOURSE-2026-27936 Discourse discloses restricted post-action counts to non-privileged users
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. No...
BIT-DISCOURSE-2026-27934 Discourse leaks private topic title and post excerpt via user action API endpoint
Discourse is an open-source discussion platform. Versions prior to 2026.3.0, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions 2026.3.0...
BIT-DISCOURSE-2026-27570 Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. As a...
CVE-2026-30888
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents ToS, guidelines, privacy policy that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 conta...
CVE-2026-32114
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, there is an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access metadata about AI personas, features, and LLM models by providing their...
CVE-2026-32099
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, when a user has hideprofile enabled, their bio, location, and website were still exposed through the user onebox preview. An authenticated user could request a onebox for a hidden user's...
CVE-2026-27935
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions...
CVE-2026-33424
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No know...
Discourse Information Disclosure Vulnerability (CNVD-2026-17272)
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an information disclosure vulnerability that stems from a post edit management report disclosing the first 40...
Unspecified vulnerability in Discourse (CNVD-2026-17481)
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from a security vulnerability due to an overly broad authorization check on the deleted post index endpoint, which can ...