89 matches found
PT-2026-26423
Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. When a user has hide profile enabled, their bio, location, and...
CVE-2022-23641
Discourse is an open source discussion platform. In versions prior to 2.8.1 in the stable branch, 2.9.0.beta2 in the beta branch, and 2.9.0.beta2 in the tests-passed branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an...
EUVD-2024-52175
Malicious code in bioql PyPI...
EUVD-2023-51262
Malicious code in bioql PyPI...
CVE-2023-47119
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the...
BIT-DISCOURSE-2024-56328 HTMLi(XSS without CSP) via Onebox urls in Discourse
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...
CVE-2024-56328
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...
CVE-2024-53851
Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This...
CVE-2024-53851 Partial denial of service via inline oneboxes in Discourse
Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This...
CVE-2024-56328
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...
CVE-2024-56328
CVE-2024-56328 affects Discourse (onebox URL handling). An attacker can cause the execution of arbitrary JavaScript in a user’s browser by posting a maliciously crafted onebox URL, with impact on sites where CSP is disabled. The root cause is the Onebox URL processing in Discourse that allows inl...
CVE-2024-56328 HTMLi(XSS without CSP) via Onebox urls in Discourse
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...
CVE-2024-56328 HTMLi(XSS without CSP) via Onebox urls in Discourse
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...
CVE-2024-56328 HTMLi(XSS without CSP) via Onebox urls in Discourse
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...
PT-2025-2994 · Discourse · Discourse
Name of the Vulnerable Software and Affected Versions: Discourse versions prior to the latest stable, beta and tests-passed versions Description: The issue is related to the endpoint for generating inline oneboxes for URLs, which did not enforce limits on the number of URLs accepted, allowing a...
PT-2025-3268 · Discourse · Discourse
Name of the Vulnerable Software and Affected Versions: Discourse affected versions not specified Description: The issue allows an attacker to execute arbitrary JavaScript code in users' browsers by posting a maliciously crafted Onebox URL. This problem only affects sites with Content Security...
Discourse 资源管理错误漏洞
Discourse is an open source community discussion platform from Discourse Open Source. The platform includes community, email, and chat room features. Discourse suffers from a resource management error vulnerability that stems from a URL endpoint that generates an inline onebox without limiting th...
PT-2025-3019 · Discourse · Discourse Ai
Name of the Vulnerable Software and Affected Versions: Discourse AI affected versions not specified Description: The issue concerns the Discourse AI plugin, which provides AI features. When sharing conversations from the Discourse AI Bot into posts, HTML entities from the conversation could leak...
BIT-DISCOURSE-2024-37165 Discourse has an XSS via Onebox system
Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability ...
CVE-2024-37165
Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability ...