CVE-2022-23641

Discourse is an open source discussion platform. In versions prior to 2.8.1 in the stable branch, 2.9.0.beta2 in the beta branch, and 2.9.0.beta2 in the tests-passed branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an...

CVE-2022-23546

In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin's digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue...

CVE-2022-23548

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta16 on the beta and tests-passed branches, parsing posts can be susceptible to regular expression denial of service ReDoS attacks. This issue is patched in versions 2.8.14 and...

CVE-2022-31182

Discourse is the an open source discussion platform. In affected versions a maliciously crafted request for static assets could cause error responses to be cached by Discourse's default NGINX proxy configuration. A corrected NGINX configuration is included in the latest stable, beta and...

CVE-2022-31096

Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite h...

CVE-2024-39320

Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowediframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5...

CVE-2023-43658

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting XSS within the 'email preview' UI when a site has CSP disabled. Having CSP...

CVE-2023-43659

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the...

CVE-2023-45131

Discourse is an open source platform for community discussion. New chat messages can be read by making an unauthenticated POST request to MessageBus. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. Users are advised to upgrade. There are no known workarounds for...

CVE-2021-41163

Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribeurl values. This issue is patched in the latest stable, beta and tests-passed versions of...

CVE-2021-41082

Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users wer...

CVE-2025-23023

Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache for example, the cache may have a response with missing preloaded data. This issue only affects anonymous...

BIT-DISCOURSE-2025-64528 Users are able to find users by name even when `enable_names` is off

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

Discourse 2025.11.x < 2025.11.1 Information Disclosure Vulnerability

Discourse is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Discourse < 3.5.3 Information Disclosure Vulnerability

Discourse is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2025-64528

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

CVE-2025-64528

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

EUVD-2025-205817

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

CVE-2025-64528

CVE-2025-64528 affects Discourse prior to versions 3.5.3, 2025.11.1, and 2025.12.0. An attacker who knows part of a username can discover the user and their full name via UI or API, even when enable_names is disabled. The issue is confirmed across multiple sources (NVD, Red Hat, OSV, OpenVAS, etc...

CVE-2025-64528 Users are able to find users by name even when `enable_names` is off

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...