discourse

274 tracked vulnerabilities.

CVE-2026-34154 LOW
Discourse has a subscription access bypass in its discourse-subscriptions plugin
May 19, 2026
EPSS 0.00
CVE-2026-33514 MEDIUM
Discourse: Information Disclosure in Form Template API Due to Missing Authorization
May 19, 2026
EPSS 0.00
CVE-2026-32244 MEDIUM
Discourse: Cached outdated summaries can leak removed content
May 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34947 MEDIUM
Discourse: Staged user custom fields are exposed on public invite pages
Apr 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-27481 MEDIUM
Discourse: Hidden tag visibility bypass on tag routes
Apr 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33415 LOW
Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure
Mar 31, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-33300 MEDIUM
Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33185 MEDIUM
Discourse: Group SMTP test endpoint susceptible to SSRF
Mar 31, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-33074 MEDIUM
Discourse Subscriptions Plugin - Higher-Tier Subscription Privilege Escalation
Mar 31, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33073 MEDIUM
discourse-subscriptions plugin leaking stripe API key in multisite environment
Mar 31, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32951 MEDIUM
Discourse: Authorization bypass in oneboxer via user-controlled category id
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32620 MEDIUM
Discourse: Missing post-level authorization allows whisper metadata disclosure
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32619 MEDIUM
Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32618 MEDIUM
Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32615 MEDIUM
Discourse: Category group moderators can perform actions on topics in restricted categories without read access
Mar 31, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32607 MEDIUM
Discourse: Stored XSS via unescaped assignee name
Mar 31, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32273 MEDIUM
Discourse: XSS on category description update via API
Mar 31, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32243 MEDIUM
Discourse: Stored XSS in discourse-ai shared conversations onebox
Mar 31, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32143 MEDIUM
Discourse: Admin-only report can be exported by moderators
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32113 MEDIUM
Discourse: Open redirect via `sso_destination_url` cookie in `enter`
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33428 MEDIUM
Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33427 HIGH
Discourse Authorization Page Displays Unvalidated Redirect Domain
Mar 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33426 LOW
Discourse users can edit or synonymize hidden tags they can't see
Mar 21, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-33425 MEDIUM
Discourse has inferable private group membership or existence via exclude_groups parameter
Mar 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33424 MEDIUM
PM access granted through invites after access revocation
Mar 21, 2026
CVSS 5.9
EPSS 0.00
Products
discourse 241 calendar 4 discourse-chat 3 discourse_calendar 3 discourse_reactions 2 WP Discourse 1 ai 1 assign 1 discotoc 1 discourse-ai 1 discourse-code-review 1 discourse-encrypt 1 discourse-placeholder-theme-component 1 discourse-policy 1 discourse-reactions 1 discourse_bbcode 1 discourse_footnote 1 discourse_jira 1 discourse_yearly_review 1 group_membership_ip_blocks 1 mermaid 1 message_bus 1 microsoft_authentication 1 patreon 1 rails_multisite 1 reactions 1
Quick Filters
Critical CVEs With Exploits In CISA KEV