CVE-2022-23546

In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin's digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue...

EUVD-2023-27714

Malicious code in bioql PyPI...

EUVD-2023-0489

Malicious code in bioql PyPI...

EUVD-2023-27717

Malicious code in bioql PyPI...

EUVD-2025-14709

Malicious code in bioql PyPI...

CVE-2024-45297

Discourse is an open source platform for community discussion. Users can see topics with a hidden tag if they know the label/name of that tag. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known...

CVE-2023-38685

Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, information about restricted-visibility topic tags could be obtained by unauthorized users. The issue is patched in version 3.0.6 of the stab...

CVE-2023-23624

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the stable branch and version 3.1.0.beta2 on the beta and tests-passed branches, someone can use the excludetag param to filter out topics and deduce which ones were using a specific hidden tag. This affects any Discourse...

CVE-2022-46168

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta15 on the beta and tests-passed branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is n...

BIT-DISCOURSE-2025-24972 Discourse may bypass user preference when adding users to chat groups

Discourse is an open-source discussion platform. Prior to versions 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions 3.3.4 and 3.4.0.beta5 contai...

CVE-2024-53266

Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to...

CVE-2024-39320

CVE-2024-39320 affects Discourse. According to the connected Red Hat and OSV entries, the vulnerability allows an attacker to inject iframes from any domain by bypassing the allowed_iframes setting. The issue is fixed in Discourse versions 3.2.5 and 3.3.0.beta5. The available sources confirm the ...

CVE-2024-39320 Discourse allows iframe injection though default site setting

Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowediframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5...

CVE-2024-37299 Discourse vulnerable to DoS via Tag Group

Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, crafting requests to submit very long tag group names can reduce the availability of a Discourse instance. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5...

BIT-DISCOURSE-2024-36113 Discourse missing authorization checks for suspending admins/moderators

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch, version 3.3.0.beta3 on the beta branch, and version 3.3.0.beta4-dev on the tests-passed branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue i...

BIT-DISCOURSE-2024-37157 Discourse vulnerable to Server-Side Request Forgery via FastImage

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch and version 3.3.0.beta4 on the beta and tests-passed branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on...

CVE-2024-37157

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch and version 3.3.0.beta4 on the beta and tests-passed branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on...

CVE-2024-36122 Discourse doesn't limit reviewable user serializer payload

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch and version 3.3.0.beta4 on the beta and tests-passed branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses settin...

CVE-2024-36122 Discourse doesn't limit reviewable user serializer payload

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch and version 3.3.0.beta4 on the beta and tests-passed branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses settin...

CVE-2024-36122

Discourse vulnerability CVE-2024-36122 affects the open-source forum platform: moderators reviewing users in the review queue could see a user’s email address when the setting to “Allow moderators to view email addresses” is disabled. The issue affects versions prior to 3.2.3 on the stable branch...