Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by discourse:discoursediscourse-calendardiscourse-reactionsdiscourse-chatdiscourse-aidiscourse-policydiscourse-code-reviewdiscourse-placeholder-theme-componentWP Discoursediscourse-microsoft-authdiscourse-group-membership-ip-blockdiscourse-jiradiscourse-encryptdiscourse-yearly-reviewdiscourse-mermaid-theme-componentdiscourse-bbcodediscourse-patreonDiscoTOCdiscourse-assignmessage_busdiscourse-footnoterails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2025-48877 Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe — discourseCWE-1038 5.4AIMediumAI2025-06-09
CVE-2025-48062 Discourse vulnerable to HTML injection when inviting to topic via email — discourseCWE-116 7.1 High2025-06-09
CVE-2025-48053 Discourse vulnerable to DoS via large URL payload in PM to a bot — discourseCWE-400 4.3AIMediumAI2025-06-09
CVE-2025-47288 Discourse Policy plugin private group members visible — discourse-policyCWE-200 3.5 Low2025-05-29
CVE-2025-46824 Discourse Code Review Plugin vulnerable to XSS via auto link commits — discourse-code-reviewCWE-79 3.1 Low2025-05-07
CVE-2025-46813 Private data leak on login-required Discourse sites — discourseCWE-200 5.8 Medium2025-05-05
CVE-2025-32376 Discourse DM limits aren’t always properly enforced — discourseCWE-284 4.3AIMediumAI2025-04-30
CVE-2025-24972 Discourse may bypass user preference when adding users to chat groups — discourseCWE-862 4.3 Medium2025-03-26
CVE-2025-24808 Discourse has race condition when adding users to a group DM — discourseCWE-362 4.3 Medium2025-03-26
CVE-2024-53266 Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse — discourseCWE-79 4.3 Medium2025-02-04
CVE-2024-53851 Partial denial of service via inline oneboxes in Discourse — discourseCWE-400 4.3 Medium2025-02-04
CVE-2024-53994 Potential bypass of chat permissions in Discourse — discourseCWE-281 4.3 Medium2025-02-04
CVE-2024-55948 Anonymous cache poisoning via XHR requests in Discourse — discourseCWE-346 8.2 High2025-02-04
CVE-2024-56197 Users can see other user's tagged PMs in Discourse — discourseCWE-200 2.2 Low2025-02-04
CVE-2024-56328 HTMLi(XSS without CSP) via Onebox urls in Discourse — discourseCWE-79 6.5 Medium2025-02-04
CVE-2025-22601 Client Side Path Traversal using activate account route in Discourse — discourseCWE-22 3.1 Low2025-02-04
CVE-2025-22602 Stored DOM-based XSS (without CSP) via video placeholders in Discourse — discourseCWE-79 6.5 Medium2025-02-04
CVE-2025-23023 Anonymous cache poisoning via request headers in Discourse — discourseCWE-346 8.2 High2025-02-04
CVE-2024-54142 Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse — discourse-aiCWE-79 9.1 Critical2025-01-14
CVE-2024-49765 Bypass of Discourse Connect using other login paths if enabled in Discourse — discourseCWE-359 5.3 Medium2024-12-19
CVE-2024-52589 Moderators can view Screened emails even when the “moderators view emails” option is disabled in Discourse — discourseCWE-200 2.2 Low2024-12-19
CVE-2024-52794 Magnific lightbox susceptible to Cross-site Scripting in Discourse — discourseCWE-79 6.8 Medium2024-12-19
CVE-2024-53991 Potential Backup file leaked via Nginx in Discourse — discourseCWE-200 7.5 High2024-12-19
CVE-2024-47773 Anonymous cache poisoning via XHR requests in Discourse — discourseCWE-610 8.2 High2024-10-08
CVE-2024-47772 Cross-site Scripting (XSS) via chat excerpts when content security policy (CSP) disabled in Discourse — discourseCWE-79 6.5 Medium2024-10-07
CVE-2024-43789 Denial of service by the absence of restrictions on replies to posts in Discourse — discourseCWE-400 7.5 High2024-10-07
CVE-2024-45297 Prevent topic list filtering by hidden tags for unauthorized users in Discourse — discourseCWE-269 5.3 Medium2024-10-07
CVE-2024-45051 Bypass of email address validation via encoded email addresses in Discourse — discourseCWE-287 8.2 High2024-10-07
CVE-2024-45303 Discourse Calendar plugin event names susceptible to XSS — discourse-calendarCWE-79 6.1 Medium2024-09-12
CVE-2024-21658 Insufficient control of region value length in discourse-calendar — discourse-calendarCWE-400 4.3 Medium2024-08-30

This page lists every published CVE security advisory associated with discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.