Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by discourse:discoursediscourse-calendardiscourse-reactionsdiscourse-chatdiscourse-aidiscourse-policydiscourse-code-reviewdiscourse-placeholder-theme-componentWP Discoursediscourse-microsoft-authdiscourse-group-membership-ip-blockdiscourse-jiradiscourse-encryptdiscourse-yearly-reviewdiscourse-mermaid-theme-componentdiscourse-bbcodediscourse-patreonDiscoTOCdiscourse-assignmessage_busdiscourse-footnoterails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2026-34947 Discourse: Staged user custom fields are exposed on public invite pages — discourseCWE-200 4.3AIMediumAI2026-04-03
CVE-2026-27481 Discourse: Hidden tag visibility bypass on tag routes — discourseCWE-200 5.3AIMediumAI2026-04-03
CVE-2026-33415 Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure — discourseCWE-284 2.7 -2026-03-31
CVE-2026-33300 Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint — discourseCWE-200 4.3 -2026-03-31
CVE-2026-33185 Discourse: Group SMTP test endpoint susceptible to SSRF — discourseCWE-918 4.3 -2026-03-31
CVE-2026-33074 Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions — discourseCWE-269 7.1 -2026-03-31
CVE-2026-32951 Discourse: Authorization bypass in oneboxer via user-controlled category id — discourseCWE-200 4.3 Medium2026-03-31
CVE-2026-32620 Discourse: Missing post-level authorization allows whisper metadata disclosure — discourseCWE-200 4.3 -2026-03-31
CVE-2026-32619 Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories — discourseCWE-285 5.4 -2026-03-31
CVE-2026-32618 Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id — discourseCWE-200 4.3 Medium2026-03-31
CVE-2026-32615 Discourse: Category group moderators can perform actions on topics in restricted categories without read access — discourseCWE-285 7.1 -2026-03-31
CVE-2026-32607 Discourse: Stored XSS via unescaped assignee name — discourseCWE-79 5.4 -2026-03-31
CVE-2026-32273 Discourse: XSS on category description update via API — discourseCWE-79 5.4 Medium2026-03-31
CVE-2026-32243 Discourse: Stored XSS in discourse-ai shared conversations onebox — discourseCWE-79 5.4 -2026-03-31
CVE-2026-32143 Discourse: Admin-only report can be exported by moderators — discourseCWE-200 6.5 -2026-03-31
CVE-2026-32113 Discourse: Open redirect via `sso_destination_url` cookie in `enter` — discourseCWE-601 6.4 -2026-03-31
CVE-2026-33073 discourse-subscriptions plugin leaking stripe API key in multisite environment — discourseCWE-200 6.5 -2026-03-31
CVE-2026-33428 Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership — discourseCWE-863 5.4 -2026-03-20
CVE-2026-33427 Discourse Authorization Page Displays Unvalidated Redirect Domain — discourseCWE-862 4.3 -2026-03-20
CVE-2026-33426 Discourse users can edit or synonymize hidden tags they can't see — discourseCWE-862 3.5 Low2026-03-20
CVE-2026-33425 Discourse has inferable private group membership or existence via exclude_groups parameter — discourseCWE-203 5.3 -2026-03-20
CVE-2026-33424 PM access granted through invites after access revocation — discourseCWE-863 5.9 Medium2026-03-20
CVE-2026-33423 Discourse staff can modify any user's group notification level — discourseCWE-862 4.3 -2026-03-20
CVE-2026-33422 Discourse exposes ip_address of flagged user — discourseCWE-200 3.5 Low2026-03-20
CVE-2026-33411 Discourse's solved topic stream has potential stored XSS in topic title — discourseCWE-79 5.4 Medium2026-03-20
CVE-2026-33291 Discourse user can create Zendesk tickets even when it does not have access to topic — discourseCWE-863 4.3 -2026-03-20
CVE-2026-33251 Discourse has a Hidden Solved topics permission bypass — discourseCWE-863 5.4 Medium2026-03-20
CVE-2026-32114 Discourse's unscoped status lookups leak restricted metadata — discourseCWE-639 4.3 -2026-03-20
CVE-2026-31869 Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check — discourseCWE-200 4.3 -2026-03-20
CVE-2026-31805 Discourse has a poll authorization bypass via post_id array parameter — discourseCWE-863 5.3 Medium2026-03-20

This page lists every published CVE security advisory associated with discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.