2870 matches found
CVE-2026-27154
Discourse contains an XSS flaw in which a user’s full name can be evaluated as raw HTML when display_name_on_posts is true and prioritize_username_in_ux is false. The issue occurs when editing a post by a malicious user, potentially triggering XSS. Affected versions include prior to 2025.12.2, 20...
CVE-2026-27154 Discourse has XSS when editing a malicious post
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: displaynameonposts = true; and prioritizeusernameinux = false. Editing a post of a malicious user would trigger ...
CVE-2026-27153
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in canexportentity?. The method allowed moderators to export any entity not explicit...
CVE-2026-27153 Discourse doesn't prevent moderators from exporting user Chat DMs
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in canexportentity?. The method allowed moderators to export any entity not explicit...
CVE-2026-27153
Discourse (open source discussion platform) is affected prior to versions 2025.12.2, 2026.1.1, and 2026.2.0. The issue arises from an overly permissive allowlist in can_export_entity?, letting moderators export any entity not explicitly blocked via the CSV export endpoint to access user Chat DMs....
CVE-2026-27153 Discourse doesn't prevent moderators from exporting user Chat DMs
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in canexportentity?. The method allowed moderators to export any entity not explicit...
EUVD-2026-8894
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in canexportentity?. The method allowed moderators to export any entity not explicit...
CVE-2026-27153 Discourse doesn't prevent moderators from exporting user Chat DMs
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in canexportentity?. The method allowed moderators to export any entity not explicit...
CVE-2026-26973
Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR Insecure Direct Object Reference in ReviewableNotesController. When enablecategorygroupmoderation is enabled, a user belonging to a category moderation group can create or delete thei...
CVE-2026-26979
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available...
EUVD-2026-8891
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...
CVE-2026-27152
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...
CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...
CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...
CVE-2026-27152
Discourse vulnerability CVE-2026-27152 affects prior builds before 2025.12.2, 2026.1.1, and 2026.2.0 where DM communication-preference restrictions can be bypassed when adding members to an existing DM channel via Chat::AddUsersToChannel. This allows targeted users who have blocked, ignored, or m...
CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...
CVE-2026-27162
Technical details about CVE-2026-27162 are not publicly provided in the supplied documents; monitor for updates.
CVE-2026-27162
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...
CVE-2026-27162 DIscourse doesn't prevent whispers to leak in excerpts
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...
EUVD-2026-8892
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...