BIT-DISCOURSE-2026-29072 Discourse missing permission check for policy creation in discourse-policy

Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain...

BIT-DISCOURSE-2026-28282 Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin

Discourse is an open-source discussion platform. Versions prior to 2026.3.0, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a...

CVE-2026-29072

CVE-2026-29072 affects Discourse prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, where users not in the allowed policy creation groups could create functional policy acceptance widgets in posts under certain conditions. The root cause is a flaw in policy widget creation permissions that allow...

CVE-2026-29072 Discourse missing permission check for policy creation in discourse-policy

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-latest.1, 2026.2.1, an...

PT-2026-26379

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2,...

PT-2026-26378

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. A security flaw exists within the discourse-policy plugin that...

CVE-2026-26207 DIscourse's discourse-policy plugin lacks post access check

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, discourse-policy plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The PolicyController loads posts by ID without verifying the current...

CVE-2026-26207

CVE-2026-26207 affects Discourse with the discourse-policy plugin. Prior to versions 2025.12.2, 2026.1.1 and 2026.2.0, PolicyController loads posts by ID without verifying the current user’s visibility, allowing authenticated users to interact with policies on posts they cannot view and to enumer...

CVE-2026-26207 DIscourse's discourse-policy plugin lacks post access check

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, discourse-policy plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The PolicyController loads posts by ID without verifying the current...

EUVD-2025-16482

Malicious code in bioql PyPI...

CVE-2025-47288

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1....

CVE-2025-47288

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1....

CVE-2025-47288 Discourse Policy plugin private group members visible

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1....

CVE-2025-47288

Affected product: Discourse Policy plugin. Vulnerable: versions prior to 0.1.1. Root cause: a policy posted to a public topic that was tied to a private group could cause group members to be visible to non-group members. Impact: information disclosure of private-group membership (partial confiden...

CVE-2025-47288 Discourse Policy plugin private group members visible

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1....

CVE-2025-47288 Discourse Policy plugin private group members visible

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1....

PT-2025-23195 · Discourse · Discourse Policy Plugin

Name of the Vulnerable Software and Affected Versions: Discourse Policy plugin versions prior to 0.1.1 Description: The issue concerns the Discourse Policy plugin, which allows confirming users have seen or done something. Prior to version 0.1.1, if a policy was posted to a public topic tied to a...

Discourse Policy 信息泄露漏洞

Discourse Policy is an open source plugin for Discourse that confirms that a user has seen or done something by alerting them. An information disclosure vulnerability exists in versions prior to Discourse Policy 0.1.1 that stems from not properly handling private group policies, which could lead ...