CVE-2025-64528
CVE-2025-64528 affects Discourse prior to versions 3.5.3, 2025.11.1, and 2025.12.0. An attacker who knows part of a username can discover the user and their full name via UI or API, even when enable_names is disabled. The issue is confirmed across multiple sources (NVD, Red Hat, OSV, OpenVAS, etc...