BIT-DISCOURSE-2026-28227 Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the publishtocategory topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known...

CVE-2026-28227 Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the publishtocategory topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known...

CVE-2026-28227 Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the publishtocategory topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known...

EUVD-2020-0539

Malware in sbrugna...

EUVD-2023-27711

Malicious code in bioql PyPI...

EUVD-2025-32115

Malicious code in bioql PyPI...

CVE-2025-60782

PHP Education Manager v1.0 is vulnerable to Cross Site Scripting XSS stored Cross-Site Scripting XSS vulnerability in the topics management module topics.php. Attackers can inject malicious JavaScript payloads into the Titlefield during topic creation or updates...

CVE-2025-60782

PHP Education Manager v1.0 is vulnerable to Cross Site Scripting XSS stored Cross-Site Scripting XSS vulnerability in the topics management module topics.php. Attackers can inject malicious JavaScript payloads into the Titlefield during topic creation or updates...

CVE-2025-60782

PHP Education Manager v1.0 is vulnerable to Cross Site Scripting XSS stored Cross-Site Scripting XSS vulnerability in the topics management module topics.php. Attackers can inject malicious JavaScript payloads into the Titlefield during topic creation or updates...

CVE-2025-60782

PHP Education Manager v1.0 is vulnerable to Cross Site Scripting XSS stored Cross-Site Scripting XSS vulnerability in the topics management module topics.php. Attackers can inject malicious JavaScript payloads into the Titlefield during topic creation or updates...

CVE-2023-23615

Discourse is an open source discussion platform. The embeddable comments can be exploited to create new topics as any user but without any clear title or content. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. As a workaround, disable embeddable comments ...

CVE-2019-17572

In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversa...

Discourse Information Disclosure Vulnerability

Discourse is an open source community discussion platform. The platform includes features such as communities, email and chat rooms. An information disclosure vulnerability exists in Discourse that originates from allowing any user to create a topic and add arbitrary custom fields to the topic...

Discourse 安全漏洞

Discourse is an open source community discussion platform. The platform includes community, email, and chat room features. A security vulnerability exists in Discourse prior to 3.0.4 stable, 3.1.0.beta5, which stems from the topic creation page allowing unrestricted iFrame markup...

Discourse 跨站脚本漏洞

Discourse is an open source community discussion platform. The platform includes community, email, and chat room features.A cross-site scripting vulnerability exists in versions prior to Discourse DiscoTOC 2.1.0, which stems from the lack of escaping and filtering of input data on pages that can...

PT-2022-24858 · Discotoc · Discotoc

Name of the Vulnerable Software and Affected Versions: DiscoTOC versions prior to the fixed version on the main branch Description: The issue allows users to inject arbitrary HTML on a topic's page if they can create topics in TOC-enabled categories and have a sufficient trust level. The estimate...

Discourse 安全漏洞

Discourse is an open source community discussion platform. An access control error vulnerability exists in versions of Discourse prior to 2.8.9 and prior to 2.9.0.beta10. The vulnerability stems from improper access control of the API, which could be exploited to create new topics and edit existi...

GHSA-5X3V-2GXR-59M2 Directory traversal in Apache RocketMQ

In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversa...

Directory Traversal

rocketmq-broker is vulnerable to directory traversal. The automatic topic creation which is enabled by default, allows a folder name containing ../ characters to be created. This results in the writing of arbitrary directory in the parent directories, potentially overwriting existing folders...

Directory traversal

In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversa...