BIT-DISCOURSE-2026-33251 Discourse has a Hidden Solved topics permission bypass

Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. As a...

CVE-2025-53102

CVE-2025-53102 affects Discourse: prior to 3.4.7 (stable) and 3.5.0.beta.8 (tests-passed), issuing a physical security key for 2FA generates a WebAuthn challenge that is not cleared from the user session after authentication, potentially allowing reuse and increasing security risk. Affected versi...

CVE-2025-53102 Discourse's WebAuthn challenge isn't cleared from user session after authentication

Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the stable branch and version 3.5.0.beta.8 on the tests-passed branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared...

CVE-2023-25169 Yearly Review Plugin leaking anonymised users data in discourse-yearly-review

discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit b3ab33bbf7 which is...