CVE-2026-33355

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...

BIT-DISCOURSE-2026-27162 DIscourse doesn't prevent whispers to leak in excerpts

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...

CVE-2026-27162

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...

CVE-2026-27162

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...

CVE-2026-27162 DIscourse doesn't prevent whispers to leak in excerpts

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...

CVE-2026-27162

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...

EUVD-2026-8892

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...

CVE-2026-27162 DIscourse doesn't prevent whispers to leak in excerpts

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...

CVE-2026-27162 DIscourse doesn't prevent whispers to leak in excerpts

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, postsnearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.securedguardian to properly filter po...

PT-2026-22188

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0 Description Discourse, an open source discussion platform, had an issue where the posts nearby function was not properly filtering...

EUVD-2024-29116

Malicious code in bioql PyPI...

BIT-DISCOURSE-2025-49845 Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispersallowedgroups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of...

CVE-2025-49845

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispersallowedgroups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of...

CVE-2025-49845

Discourse has a vulnerability (CVE-2025-49845) where users on versions prior to 3.4.6 (stable) or 3.5.0.beta8-dev (tests-passed) can still view their own whispers after losing visibility to posts typed whisper. The issue is fixed in 3.4.6 and 3.5.0.beta8-dev. No publicly provided workarounds are ...

CVE-2025-49845 Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispersallowedgroups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of...

CVE-2025-49845 Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispersallowedgroups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of...

CVE-2024-31219

Discourse-reactions is a plugin that allows user to add their reactions to the post. When whispers are enabled on a site via whispersallowedgroups and reactions are made on whispers on public topics, the contents of the whisper and the reaction data are shown on the /u/:username/activity/reaction...

CVE-2024-31219

Discourse-reactions is a plugin that allows user to add their reactions to the post. When whispers are enabled on a site via whispersallowedgroups and reactions are made on whispers on public topics, the contents of the whisper and the reaction data are shown on the /u/:username/activity/reaction...

CVE-2024-31219 Discourse-reactions' reaction data and public topic whisper content exposed on reactions given user activity page

Discourse-reactions is a plugin that allows user to add their reactions to the post. When whispers are enabled on a site via whispersallowedgroups and reactions are made on whispers on public topics, the contents of the whisper and the reaction data are shown on the /u/:username/activity/reaction...

CVE-2024-31219 Discourse-reactions' reaction data and public topic whisper content exposed on reactions given user activity page

Discourse-reactions is a plugin that allows user to add their reactions to the post. When whispers are enabled on a site via whispersallowedgroups and reactions are made on whispers on public topics, the contents of the whisper and the reaction data are shown on the /u/:username/activity/reaction...