Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by discourse:discoursediscourse-calendardiscourse-reactionsdiscourse-chatdiscourse-aidiscourse-policydiscourse-code-reviewdiscourse-placeholder-theme-componentWP Discoursediscourse-microsoft-authdiscourse-group-membership-ip-blockdiscourse-jiradiscourse-encryptdiscourse-yearly-reviewdiscourse-mermaid-theme-componentdiscourse-bbcodediscourse-patreonDiscoTOCdiscourse-assignmessage_busdiscourse-footnoterails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2026-27021 Discourse: Poll voters endpoint lacked post visibility checks — discourseCWE-862 5.3AIMediumAI2026-02-26
CVE-2026-26979 Discourse: TL4 users are able to change status of restricted topics — discourseCWE-862 5.4AIMediumAI2026-02-26
CVE-2026-26973 Discourse doesn't scope reviewable notes to user-visible reviewables — discourseCWE-863 4.3 Medium2026-02-26
CVE-2026-26265 Discourse has IDOR vulnerability in the directory items endpoint — discourseCWE-863 7.5 High2026-02-26
CVE-2026-26207 DIscourse's discourse-policy plugin lacks post access check — discourseCWE-862 5.4 Medium2026-02-26
CVE-2026-26078 Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint — discourseCWE-639 7.5 High2026-02-26
CVE-2026-26077 Discourse doesn't ensure webhooks require a token — discourseCWE-287 6.5 Medium2026-02-26
CVE-2026-24742 Discourse staff action logs expose sensitive information to moderators — discourseCWE-863 6.5 Medium2026-01-28
CVE-2026-23743 Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users — discourseCWE-200 5.4AIMediumAI2026-01-28
CVE-2026-21865 Discourse topic conversion permission vulnerability for moderators — discourseCWE-862 6.5 Medium2026-01-28
CVE-2025-69289 Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change — discourseCWE-863 8.8AIHighAI2026-01-28
CVE-2025-69218 Discourse moderators can access admin-only reports exposing private upload URLs — discourseCWE-863 6.5AIMediumAI2026-01-28
CVE-2025-68934 Discourse Has Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint — discourseCWE-770 6.5 Medium2026-01-28
CVE-2025-68933 Discourse non-admin moderators can exfiltrate private content via post ownership transfer — discourseCWE-863 6.9 Medium2026-01-28
CVE-2025-68666 Discourse users archives leaked to users with moderation privileges — discourseCWE-863 4.3AIMediumAI2026-01-28
CVE-2025-68662 FinalDestination hostname matching allows SSRF protection bypass — discourseCWE-918 7.6 High2026-01-28
CVE-2025-68660 Discourse AI Discover's continue conversation allows threat actor to impersonate user — discourseCWE-863 5.4AIMediumAI2026-01-28
CVE-2025-68659 Discourse has DoS vulnerability in username change endpoint — discourseCWE-770 4.3 Medium2026-01-28
CVE-2025-68479 Discourse subscriptions are susceptible to takeover — discourseCWE-862 7.1 High2026-01-28
CVE-2025-67723 Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin — discourseCWE-79 4.6 Medium2026-01-28
CVE-2025-66488 Discourse allows script execution in uploaded HTML/XML files on S3 — discourseCWE-116 4.6 Medium2026-01-28
CVE-2025-64528 Users are able to find users by name even when `enable_names` is off — discourseCWE-202 5.3 -2025-12-30
CVE-2025-61598 Discourse is missing Cache-Control response header on error responses — discourseCWE-524 5.3AIMediumAI2025-10-28
CVE-2025-59337 Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments — discourseCWE-77 8.1AIHighAI2025-10-01
CVE-2025-58055 Discourse AI Suggestions Contain Insecure Direct Object Reference — discourseCWE-284 4.3 Medium2025-10-01
CVE-2025-58054 Discourse is vulnerable to XSS when quoting chat messages — discourseCWE-80 3.5 Low2025-10-01
CVE-2025-54411 Discourse welcome banner user name XSS — discourseCWE-79 5.4AIMediumAI2025-08-19
CVE-2025-53102 Discourse's WebAuthn challenge isn't cleared from user session after authentication — discourseCWE-384 8.2AIHighAI2025-07-29
CVE-2025-49845 Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers — discourseCWE-200 4.3AIMediumAI2025-06-25
CVE-2025-48954 Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow — discourseCWE-79 8.1 High2025-06-25

This page lists every published CVE security advisory associated with discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.