Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

discourse — Vulnerabilities & Security Advisories 259

All 259 CVE vulnerabilities found in discourse, with AI-generated Chinese analysis, references, and POCs.

This page presents vulnerability aggregation data for Discourse, a popular open-source discussion platform, focusing on common weaknesses tracked across its ecosystem. It collects information regarding diverse security flaws affecting the software, including cross-site scripting, authorization bypasses, and path traversal issues, covering data from recent years to present. Users can utilize this resource to track vendor advisories from the Discourse maintainers, understand the prevalence and impact of specific weakness classes within community-driven software, and look up a product's historical vulnerability trends to assess long-term security posture. The content is organized to facilitate rapid identification of critical issues without requiring deep technical expertise, ensuring that system administrators and developers can quickly reference known defects. By aggregating data from multiple sources, this summary provides a consolidated view of security incidents, helping stakeholders prioritize remediation efforts based on severity and exploitability. The approach emphasizes clarity and accessibility, allowing teams to maintain compliance and reduce exposure to known threats effectively. This resource serves as a central reference point for monitoring the evolving security landscape of Discourse, supporting informed decision-making in patch management and infrastructure hardening processes.

Vendor: discourse

CVE IDTitleCVSSSeverityPublished
CVE-2026-26078 Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint CWE-639 7.5 High2026-02-26
CVE-2026-26077 Discourse doesn't ensure webhooks require a token CWE-287 6.5 Medium2026-02-26
CVE-2026-24742 Discourse staff action logs expose sensitive information to moderators CWE-863 6.5 Medium2026-01-28
CVE-2026-23743 Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users CWE-200 5.4AIMediumAI2026-01-28
CVE-2026-21865 Discourse topic conversion permission vulnerability for moderators CWE-862 6.5 Medium2026-01-28
CVE-2025-69289 Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change CWE-863 8.8AIHighAI2026-01-28
CVE-2025-69218 Discourse moderators can access admin-only reports exposing private upload URLs CWE-863 6.5AIMediumAI2026-01-28
CVE-2025-68934 Discourse Has Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint CWE-770 6.5 Medium2026-01-28
CVE-2025-68933 Discourse non-admin moderators can exfiltrate private content via post ownership transfer CWE-863 6.9 Medium2026-01-28
CVE-2025-68666 Discourse users archives leaked to users with moderation privileges CWE-863 4.3AIMediumAI2026-01-28
CVE-2025-68662 FinalDestination hostname matching allows SSRF protection bypass CWE-918 7.6 High2026-01-28
CVE-2025-68660 Discourse AI Discover's continue conversation allows threat actor to impersonate user CWE-863 5.4AIMediumAI2026-01-28
CVE-2025-68659 Discourse has DoS vulnerability in username change endpoint CWE-770 4.3 Medium2026-01-28
CVE-2025-68479 Discourse subscriptions are susceptible to takeover CWE-862 7.1 High2026-01-28
CVE-2025-67723 Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin CWE-79 4.6 Medium2026-01-28
CVE-2025-66488 Discourse allows script execution in uploaded HTML/XML files on S3 CWE-116 4.6 Medium2026-01-28
CVE-2025-64528 Users are able to find users by name even when `enable_names` is off CWE-202 5.3 -2025-12-30
CVE-2025-61598 Discourse is missing Cache-Control response header on error responses CWE-524 5.3AIMediumAI2025-10-28
CVE-2025-59337 Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments CWE-77 8.1AIHighAI2025-10-01
CVE-2025-58055 Discourse AI Suggestions Contain Insecure Direct Object Reference CWE-284 4.3 Medium2025-10-01
CVE-2025-58054 Discourse is vulnerable to XSS when quoting chat messages CWE-80 3.5 Low2025-10-01
CVE-2025-54411 Discourse welcome banner user name XSS CWE-79 5.4AIMediumAI2025-08-19
CVE-2025-53102 Discourse's WebAuthn challenge isn't cleared from user session after authentication CWE-384 8.2AIHighAI2025-07-29
CVE-2025-49845 Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers CWE-200 4.3AIMediumAI2025-06-25
CVE-2025-48954 Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow CWE-79 8.1 High2025-06-25
CVE-2025-48877 Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe CWE-1038 5.4AIMediumAI2025-06-09
CVE-2025-48062 Discourse vulnerable to HTML injection when inviting to topic via email CWE-116 7.1 High2025-06-09
CVE-2025-48053 Discourse vulnerable to DoS via large URL payload in PM to a bot CWE-400 4.3AIMediumAI2025-06-09
CVE-2025-46813 Private data leak on login-required Discourse sites CWE-200 5.8 Medium2025-05-05
CVE-2025-32376 Discourse DM limits aren’t always properly enforced CWE-284 4.3AIMediumAI2025-04-30

All 259 known CVE vulnerabilities affecting discourse with full Chinese analysis, references, and POCs where available.