| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-34947 | Discourse: Staged user custom fields are exposed on public invite pages | discourse | discourse | - | - | 2026-04-03 21:28:00 | Deep Dive |
| CVE-2026-27481 | Discourse: Hidden tag visibility bypass on tag routes | discourse | discourse | - | - | 2026-04-03 21:27:12 | Deep Dive |
| CVE-2026-33415 | Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure | discourse | discourse | 中危 | - | 2026-03-31 17:42:16 | Deep Dive |
| CVE-2026-33300 | Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint | discourse | discourse | 中危 | - | 2026-03-31 17:42:01 | Deep Dive |
| CVE-2026-33185 | Discourse: Group SMTP test endpoint susceptible to SSRF | discourse | discourse | 中危 | - | 2026-03-31 17:41:45 | Deep Dive |
| CVE-2026-33074 | Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions | discourse | discourse | 中危 | - | 2026-03-31 17:41:32 | Deep Dive |
| CVE-2026-32951 | Discourse: Authorization bypass in oneboxer via user-controlled category id | discourse | discourse | Medium | 4.3 | 2026-03-31 17:41:21 | Deep Dive |
| CVE-2026-32620 | Discourse: Missing post-level authorization allows whisper metadata disclosure | discourse | discourse | 中危 | - | 2026-03-31 17:41:03 | Deep Dive |
| CVE-2026-32619 | Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories | discourse | discourse | 中危 | - | 2026-03-31 17:40:42 | Deep Dive |
| CVE-2026-32618 | Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id | discourse | discourse | Medium | 4.3 | 2026-03-31 17:40:41 | Deep Dive |
| CVE-2026-32615 | Discourse: Category group moderators can perform actions on topics in restricted categories without read access | discourse | discourse | 中危 | - | 2026-03-31 17:40:17 | Deep Dive |
| CVE-2026-32607 | Discourse: Stored XSS via unescaped assignee name | discourse | discourse | 中危 | - | 2026-03-31 17:40:05 | Deep Dive |
| CVE-2026-32273 | Discourse: XSS on category description update via API | discourse | discourse | Medium | 5.4 | 2026-03-31 17:39:49 | Deep Dive |
| CVE-2026-32243 | Discourse: Stored XSS in discourse-ai shared conversations onebox | discourse | discourse | 中危 | - | 2026-03-31 17:39:38 | Deep Dive |
| CVE-2026-32113 | Discourse: Open redirect via `sso_destination_url` cookie in `enter` | discourse | discourse | 中危 | - | 2026-03-31 17:39:26 | Deep Dive |
| CVE-2026-32143 | Discourse: Admin-only report can be exported by moderators | discourse | discourse | 中危 | - | 2026-03-31 17:39:26 | Deep Dive |
| CVE-2026-33073 | discourse-subscriptions plugin leaking stripe API key in multisite environment | discourse | discourse | 中危 | - | 2026-03-31 17:39:00 | Deep Dive |
| CVE-2026-33428 | Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership | discourse | discourse | 中危 | - | 2026-03-20 23:21:21 | Deep Dive |
| CVE-2026-33427 | Discourse Authorization Page Displays Unvalidated Redirect Domain | discourse | discourse | 中危 | - | 2026-03-20 23:20:03 | Deep Dive |
| CVE-2026-33426 | Discourse users can edit or synonymize hidden tags they can't see | discourse | discourse | Low | 3.5 | 2026-03-20 23:14:57 | Deep Dive |