discourse

274 tracked vulnerabilities.

CVE-2026-33423 MEDIUM
Discourse staff can modify any user's group notification level
Mar 20, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33422 LOW
Discourse exposes ip_address of flagged user
Mar 20, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-33411 MEDIUM
Discourse's solved topic stream has potential stored XSS in topic title
Mar 20, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33291 MEDIUM
Discourse user can create Zendesk tickets even when it does not have access to topic
Mar 20, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33251 MEDIUM
Discourse has a Hidden Solved topics permission bypass
Mar 20, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32114 MEDIUM
Discourse's unscoped status lookups leak restricted metadata
Mar 20, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-31869 MEDIUM
Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check
Mar 20, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-31805 MEDIUM
Discourse Poll Plugin post_id - Authorization Bypass
Mar 20, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-30891 MEDIUM
Discourse hasUnauthorized Exposure of Private User Action Types
Mar 20, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-30889 MEDIUM
Discourse has Unauthorized Post Data Exposure in discourse-user-notes
Mar 20, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-30888 LOW
Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint
Mar 20, 2026
CVSS 2.2
EPSS 0.00
CVE-2026-33408 LOW
Discourse has Improper Authorization in "Post Edits" Report For Moderators
Mar 19, 2026
CVSS 2.2
EPSS 0.00
CVE-2026-33395 MEDIUM
Discourse has stored click‑based XSS via Graphviz SVG javascript: links
Mar 19, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-33410 MEDIUM
Discourse hardens chat DM channel creation and expansion
Mar 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33394 LOW
Discourse leaks PM post edits to moderators
Mar 19, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-33393 MEDIUM
Discourse fixes loose hostname matching in spam host allowlist
Mar 19, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33355 MEDIUM
Discourse filters whisper posts from private-posts feed
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32099 MEDIUM
Discourse prevents hidden profile data leak via user onebox
Mar 19, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-29072 HIGH
Discourse missing permission check for policy creation in discourse-policy
Mar 19, 2026
EPSS 0.00
CVE-2026-28282 LOW
Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin
Mar 19, 2026
EPSS 0.00
CVE-2026-27936 MEDIUM
Discourse discloses restricted post-action counts to non-privileged users
Mar 19, 2026
EPSS 0.00
CVE-2026-27935 MEDIUM
Discourse leaks private topic metadata to non-authorized users
Mar 19, 2026
EPSS 0.00
CVE-2026-27934 HIGH
Discourse leaks private topic title and post excerpt via user action API endpoint
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-27740 MEDIUM
Discourse has Stored XSS in AI Triage Automation
Mar 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27570 MEDIUM
Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox
Mar 19, 2026
CVSS 6.1
EPSS 0.00
Products
discourse 241 calendar 4 discourse-chat 3 discourse_calendar 3 discourse_reactions 2 WP Discourse 1 ai 1 assign 1 discotoc 1 discourse-ai 1 discourse-code-review 1 discourse-encrypt 1 discourse-placeholder-theme-component 1 discourse-policy 1 discourse-reactions 1 discourse_bbcode 1 discourse_footnote 1 discourse_jira 1 discourse_yearly_review 1 group_membership_ip_blocks 1 mermaid 1 message_bus 1 microsoft_authentication 1 patreon 1 rails_multisite 1 reactions 1
Quick Filters
Critical CVEs With Exploits In CISA KEV