| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-33425 | Discourse has inferable private group membership or existence via exclude_groups parameter | discourse | discourse | 中危 | - | 2026-03-20 23:12:30 | Deep Dive |
| CVE-2026-33424 | PM access granted through invites after access revocation | discourse | discourse | Medium | 5.9 | 2026-03-20 23:08:12 | Deep Dive |
| CVE-2026-33423 | Discourse staff can modify any user's group notification level | discourse | discourse | 中危 | - | 2026-03-20 23:06:22 | Deep Dive |
| CVE-2026-33422 | Discourse exposes ip_address of flagged user | discourse | discourse | Low | 3.5 | 2026-03-20 23:04:45 | Deep Dive |
| CVE-2026-33411 | Discourse's solved topic stream has potential stored XSS in topic title | discourse | discourse | Medium | 5.4 | 2026-03-20 22:58:15 | Deep Dive |
| CVE-2026-33291 | Discourse user can create Zendesk tickets even when it does not have access to topic | discourse | discourse | 中危 | - | 2026-03-20 22:56:06 | Deep Dive |
| CVE-2026-33251 | Discourse has a Hidden Solved topics permission bypass | discourse | discourse | Medium | 5.4 | 2026-03-20 22:52:37 | Deep Dive |
| CVE-2026-32114 | Discourse's unscoped status lookups leak restricted metadata | discourse | discourse | 中危 | - | 2026-03-20 03:13:35 | Deep Dive |
| CVE-2026-31869 | Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check | discourse | discourse | 中危 | - | 2026-03-20 03:10:43 | Deep Dive |
| CVE-2026-31805 | Discourse has a poll authorization bypass via post_id array parameter | discourse | discourse | Medium | 5.3 | 2026-03-20 03:07:15 | Deep Dive |
| CVE-2026-30891 | Discourse hasUnauthorized Exposure of Private User Action Types | discourse | discourse | 中危 | - | 2026-03-20 03:02:27 | Deep Dive |
| CVE-2026-30889 | Discourse has Unauthorized Post Data Exposure in discourse-user-notes | discourse | discourse | 中危 | - | 2026-03-20 02:59:14 | Deep Dive |
| CVE-2026-30888 | Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint | discourse | discourse | Low | 2.2 | 2026-03-20 02:55:58 | Deep Dive |
| CVE-2026-33408 | Discourse has Improper Authorization in "Post Edits" Report For Moderators | discourse | discourse | Low | 2.2 | 2026-03-19 22:35:14 | Deep Dive |
| CVE-2026-33395 | Discourse has stored click‑based XSS via Graphviz SVG javascript: links | discourse | discourse | Medium | 4.4 | 2026-03-19 22:33:19 | Deep Dive |
| CVE-2026-33394 | Discourse leaks PM post edits to moderators | discourse | discourse | Low | 2.7 | 2026-03-19 22:06:07 | Deep Dive |
| CVE-2026-33393 | Discourse fixes loose hostname matching in spam host allowlist | discourse | discourse | Medium | 4.3 | 2026-03-19 22:04:26 | Deep Dive |
| CVE-2026-33355 | Discourse filters whisper posts from private-posts feed | discourse | discourse | Medium | 6.5 | 2026-03-19 22:01:42 | Deep Dive |
| CVE-2026-33410 | Discourse hardens chat DM channel creation and expansion | discourse | discourse | Medium | 5.4 | 2026-03-19 21:57:27 | Deep Dive |
| CVE-2026-32099 | Discourse prevents hidden profile data leak via user onebox | discourse | discourse | Medium | 4.3 | 2026-03-19 21:52:25 | Deep Dive |