CVE-2026-44782 Discourse: GroupPostSerializer leaks hidden full names through reaction post association

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared includeuserlongname? as the predicate for its :name attribute, but AMS looks for includename?...

CVE-2026-44782

Discourse (open-source) is affected. In versions 2026.1.0-latest–2026.1.3.x, 2026.3.0-latest–2026.3.0.x, and 2026.4.0-latest–2026.4.0.x, GroupPostSerializer used include_user_long_name? as the predicate for the :name attribute. AMS checks for include_name?, but the misnamed predicate was never in...

CVE-2026-44782 Discourse: GroupPostSerializer leaks hidden full names through reaction post association

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared includeuserlongname? as the predicate for its :name attribute, but AMS looks for includename?...

Cross site scripting

A stored cross-site scripting XSS vulnerability in the /group/post component of Jeesns 1.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the title...

thinksaas2.2beta 越权修改置顶删除任意小组帖子

简要描述： 已经被很多前辈找过很多了。但是越权这种类型没有统一一次性的防御方案。只能在每个操作的点进行权限验证，一旦出现遗漏就会存在问题。ps:thinksaas厂商比较友好开放，所以来凑个热闹。 详细说明： 这次出问题的点在groupapp的topicmove.php 没有进行权限验证，所以用户可以将任意帖子移动到任意小组当中。这样子看起来危害不是很大，不过后来想到可以将任意帖子移动到自己建立的小组中进行编辑，删除，置顶，加精等操作，之后再移动回以前的小组，从而实现了对任意帖子的任意操作。在任意小组发表置顶贴之类的操作。相当于具有了所有小组管理员的一个权限。 这里采用test12...