discourse

296 tracked vulnerabilities.

CVE-2026-59828 MEDIUM
Discourse: Hidden post revisions leak through adjacent visible diffs
Jul 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-55424 HIGH
Discourse: Topic featured link susceptible to stored XSS
Jul 09, 2026
EPSS 0.00
CVE-2026-53963 HIGH
Discourse: Stored-XSS in 2FA delete confirmation modal
Jul 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-53962 MEDIUM
Discourse: Insufficient SVG sanitization logic
Jul 09, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53961 MEDIUM
Discourse: Forged AWS SNS bounce notifications can disable a targeted user's email (missing TopicArn binding)
Jul 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-49256 MEDIUM
Discourse: Hidden tag names leaked via category serializers
Jul 09, 2026
EPSS 0.00
CVE-2026-46413 MEDIUM
Discourse: Regular users can route multipart uploads into the admin backup store
Jul 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45788 MEDIUM
Discourse: Secure uploads exposed by hotlinked image copying
Jul 09, 2026
EPSS 0.00
CVE-2026-45780 MEDIUM
Discourse: Private event sample invitees are serialized to non-invited event viewers
Jul 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44787 HIGH
Discourse: Signup-time primary_group_id assignment grants whisperer access
Jul 09, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-55420 HIGH
Discourse: Remote code execution via pdf uploads
Jul 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-47264 MEDIUM
Discourse: Don't leak restricted tag group names via tag info
Jun 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-47263 MEDIUM
Discourse: Prevent webhook payload disclosure on event redelivery
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45775 MEDIUM
Discourse: Cross-site backup access via path traversal in multisite local backups
Jun 12, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-45085 MEDIUM
Discourse: Chat misauthorization and information disclosure
Jun 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44786 HIGH
Discourse: Public chat MessageBus broadcasts are not restricted to chat-eligible users
Jun 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44785 MEDIUM
Discourse: Hidden reply-to post raw can be disclosed through AI explain prompts
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44784 MEDIUM
Discourse: Non-staff group owners can see email password in plaintext through group history
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-44783 MEDIUM
Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts
Jun 12, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44782 MEDIUM
Discourse: GroupPostSerializer leaks hidden full names through reaction post association
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44780 MEDIUM
Discourse: Category queue reviewers can read raw incoming emails from queued posts
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44779 MEDIUM
Discourse: Bot debug endpoints disclose whisper translation audit logs
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34154 MEDIUM
Discourse Subscriptions Plugin - Subscription Access Bypass
May 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33514 MEDIUM
Discourse: Information Disclosure in Form Template API Due to Missing Authorization
May 19, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32244 MEDIUM
Discourse: Cached outdated summaries can leak removed content
May 19, 2026
CVSS 5.3
EPSS 0.00