Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting Discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Top products by Discourse: discourse discourse-calendar discourse-reactions discourse-chat discourse-ai discourse-policy discourse-code-review discourse-placeholder-theme-component WP Discourse discourse-microsoft-auth discourse-group-membership-ip-block discourse-jira discourse-encrypt discourse-yearly-review discourse-mermaid-theme-component discourse-bbcode discourse-patreon DiscoTOC discourse-assign message_bus discourse-footnote rails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2025-48877 Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe — discourseCWE-1038 5.4AIMediumAI2025-06-09
CVE-2025-48062 Discourse vulnerable to HTML injection when inviting to topic via email — discourseCWE-116 7.1 High2025-06-09
CVE-2025-48053 Discourse vulnerable to DoS via large URL payload in PM to a bot — discourseCWE-400 4.3AIMediumAI2025-06-09
CVE-2025-47288 Discourse Policy plugin private group members visible — discourse-policyCWE-200 3.5 Low2025-05-29
CVE-2025-46824 Discourse Code Review Plugin vulnerable to XSS via auto link commits — discourse-code-reviewCWE-79 3.1 Low2025-05-07
CVE-2025-46813 Private data leak on login-required Discourse sites — discourseCWE-200 5.8 Medium2025-05-05
CVE-2025-32376 Discourse DM limits aren’t always properly enforced — discourseCWE-284 4.3AIMediumAI2025-04-30
CVE-2025-24972 Discourse may bypass user preference when adding users to chat groups — discourseCWE-862 4.3 Medium2025-03-26
CVE-2025-24808 Discourse has race condition when adding users to a group DM — discourseCWE-362 4.3 Medium2025-03-26
CVE-2024-53266 Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse — discourseCWE-79 4.3 Medium2025-02-04
CVE-2024-53851 Partial denial of service via inline oneboxes in Discourse — discourseCWE-400 4.3 Medium2025-02-04
CVE-2024-53994 Potential bypass of chat permissions in Discourse — discourseCWE-281 4.3 Medium2025-02-04
CVE-2024-55948 Anonymous cache poisoning via XHR requests in Discourse — discourseCWE-346 8.2 High2025-02-04
CVE-2024-56197 Users can see other user's tagged PMs in Discourse — discourseCWE-200 2.2 Low2025-02-04
CVE-2024-56328 HTMLi(XSS without CSP) via Onebox urls in Discourse — discourseCWE-79 6.5 Medium2025-02-04
CVE-2025-22601 Client Side Path Traversal using activate account route in Discourse — discourseCWE-22 3.1 Low2025-02-04
CVE-2025-22602 Stored DOM-based XSS (without CSP) via video placeholders in Discourse — discourseCWE-79 6.5 Medium2025-02-04
CVE-2025-23023 Anonymous cache poisoning via request headers in Discourse — discourseCWE-346 8.2 High2025-02-04
CVE-2024-54142 Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse — discourse-aiCWE-79 9.1 Critical2025-01-14
CVE-2024-49765 Bypass of Discourse Connect using other login paths if enabled in Discourse — discourseCWE-359 5.3 Medium2024-12-19
CVE-2024-52589 Moderators can view Screened emails even when the “moderators view emails” option is disabled in Discourse — discourseCWE-200 2.2 Low2024-12-19
CVE-2024-52794 Magnific lightbox susceptible to Cross-site Scripting in Discourse — discourseCWE-79 6.8 Medium2024-12-19
CVE-2024-53991 Potential Backup file leaked via Nginx in Discourse — discourseCWE-200 7.5 High2024-12-19
CVE-2024-47773 Anonymous cache poisoning via XHR requests in Discourse — discourseCWE-610 8.2 High2024-10-08
CVE-2024-47772 Cross-site Scripting (XSS) via chat excerpts when content security policy (CSP) disabled in Discourse — discourseCWE-79 6.5 Medium2024-10-07
CVE-2024-43789 Denial of service by the absence of restrictions on replies to posts in Discourse — discourseCWE-400 7.5 High2024-10-07
CVE-2024-45297 Prevent topic list filtering by hidden tags for unauthorized users in Discourse — discourseCWE-269 5.3 Medium2024-10-07
CVE-2024-45051 Bypass of email address validation via encoded email addresses in Discourse — discourseCWE-287 8.2 High2024-10-07
CVE-2024-45303 Discourse Calendar plugin event names susceptible to XSS — discourse-calendarCWE-79 6.1 Medium2024-09-12
CVE-2024-21658 Insufficient control of region value length in discourse-calendar — discourse-calendarCWE-400 4.3 Medium2024-08-30

This page lists every published CVE security advisory associated with Discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.