Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by discourse:discoursediscourse-calendardiscourse-reactionsdiscourse-chatdiscourse-aidiscourse-policydiscourse-code-reviewdiscourse-placeholder-theme-componentWP Discoursediscourse-microsoft-authdiscourse-group-membership-ip-blockdiscourse-jiradiscourse-encryptdiscourse-yearly-reviewdiscourse-mermaid-theme-componentdiscourse-bbcodediscourse-patreonDiscoTOCdiscourse-assignmessage_busdiscourse-footnoterails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2026-30891 Discourse hasUnauthorized Exposure of Private User Action Types — discourseCWE-200 6.5 -2026-03-20
CVE-2026-30889 Discourse has Unauthorized Post Data Exposure in discourse-user-notes — discourseCWE-862 4.3 -2026-03-20
CVE-2026-30888 Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint — discourseCWE-269 2.2 Low2026-03-20
CVE-2026-33408 Discourse has Improper Authorization in "Post Edits" Report For Moderators — discourseCWE-862 2.2 Low2026-03-19
CVE-2026-33395 Discourse has stored click‑based XSS via Graphviz SVG javascript: links — discourseCWE-79 4.4 Medium2026-03-19
CVE-2026-33394 Discourse leaks PM post edits to moderators — discourseCWE-200 2.7 Low2026-03-19
CVE-2026-33393 Discourse fixes loose hostname matching in spam host allowlist — discourseCWE-284 4.3 Medium2026-03-19
CVE-2026-33355 Discourse filters whisper posts from private-posts feed — discourseCWE-200 6.5 Medium2026-03-19
CVE-2026-33410 Discourse hardens chat DM channel creation and expansion — discourseCWE-863 5.4 Medium2026-03-19
CVE-2026-32099 Discourse prevents hidden profile data leak via user onebox — discourseCWE-200 4.3 Medium2026-03-19
CVE-2026-29072 Discourse missing permission check for policy creation in discourse-policy — discourseCWE-862 4.3 -2026-03-19
CVE-2026-28282 Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin — discourseCWE-863 6.5 -2026-03-19
CVE-2026-27936 Discourse discloses restricted post-action counts to non-privileged users — discourseCWE-863 4.3 -2026-03-19
CVE-2026-27935 Discourse leaks private topic metadata to non-authorized users — discourseCWE-201 4.3 -2026-03-19
CVE-2026-27934 Discourse leaks private topic title and post excerpt via user action API endpoint — discourseCWE-201 4.3 -2026-03-19
CVE-2026-27740 Discourse has Stored XSS in AI Triage Automation — discourseCWE-79 5.4 -2026-03-19
CVE-2026-27570 Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox — discourseCWE-79 5.4 -2026-03-19
CVE-2026-27491 Discourse has a bypass of official warnings messages by non-staff users — discourseCWE-862 4.3 -2026-03-19
CVE-2026-27454 Discourse has check revision visibility on posts endpoint — discourseCWE-862 5.3 Medium2026-03-19
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs — discourseCWE-80 4.1 Medium2026-03-19
CVE-2026-28227 Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category — discourseCWE-863 4.3AIMediumAI2026-02-26
CVE-2026-28219 Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners — discourseCWE-915 4.3AIMediumAI2026-02-26
CVE-2026-28218 Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution — discourseCWE-284 8.8AIHighAI2026-02-26
CVE-2026-27154 Discourse has XSS when editing a malicious post — discourseCWE-79 5.4AIMediumAI2026-02-26
CVE-2026-27153 Discourse doesn't prevent moderators from exporting user Chat DMs — discourseCWE-863 5.4AIMediumAI2026-02-26
CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members — discourseCWE-284 4.3AIMediumAI2026-02-26
CVE-2026-27162 DIscourse doesn't prevent whispers to leak in excerpts — discourseCWE-200 4.3AIMediumAI2026-02-26
CVE-2026-27151 Discourse doesn't validate destination topic when moving posts — discourseCWE-862 4.3AIMediumAI2026-02-26
CVE-2026-27150 Discourse doesn't ensure guardian check when creating QueryGroupBookmark — discourseCWE-862 4.3AIMediumAI2026-02-26
CVE-2026-27149 Discourse has SQL injection in PM tag filtering — discourseCWE-89 6.5AIMediumAI2026-02-26

This page lists every published CVE security advisory associated with discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.