CVE-2026-26207

CVE-2026-26207 affects Discourse with the discourse-policy plugin. Prior to versions 2025.12.2, 2026.1.1 and 2026.2.0, PolicyController loads posts by ID without verifying the current user’s visibility, allowing authenticated users to interact with policies on posts they cannot view and to enumer...

CVE-2026-26207

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, discourse-policy plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The PolicyController loads posts by ID without verifying the current...

EUVD-2025-206450

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2,...

PT-2023-30402 · Pkp-Wal · Pkp-Wal

Name of the Vulnerable Software and Affected Versions: PKP-WAL versions prior to 3.3.0-16 PKP-WAL versions prior to 3.4.0-3 Description: The issue arises from the failure to verify that a file named in an XML document, used for the native import/export plugin, is an image file before attempting t...

PT-2021-18556 · Apache · Apache Solr

Name of the Vulnerable Software and Affected Versions: Apache Solr versions prior to 8.8.2 Description: The issue arises when using ConfigurableInternodeAuthHadoopPlugin for authentication. In this scenario, distributed requests are forwarded or proxied using server credentials instead of the...

PT-2019-11777 · Jenkins · Jenkins Codefresh Integration Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Codefresh Integration Plugin versions 1.8 and earlier Description: The issue concerns the Jenkins Codefresh Integration Plugin, which unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. This...