Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting Discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Top products by Discourse: discourse discourse-calendar discourse-reactions discourse-chat discourse-ai discourse-policy discourse-code-review discourse-placeholder-theme-component WP Discourse discourse-microsoft-auth discourse-group-membership-ip-block discourse-jira discourse-encrypt discourse-yearly-review discourse-mermaid-theme-component discourse-bbcode discourse-patreon DiscoTOC discourse-assign message_bus discourse-footnote rails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2024-43408 Discourse Placeholder Forms has a XSS stopped by CSP — discourse-placeholder-theme-componentCWE-79 6.3 Medium2024-08-20
CVE-2024-39320 Discourse allows iframe injection though default site setting — discourseCWE-74 6.1 Medium2024-07-30
CVE-2024-37299 Discourse vulnerable to DoS via Tag Group — discourseCWE-400 4.9 Medium2024-07-30
CVE-2024-37165 Discourse has an XSS via Onebox system — discourseCWE-79 6.3 Medium2024-07-30
CVE-2024-38360 Denial of service via Watched Words in Discourse — discourseCWE-400 4.9 Medium2024-07-15
CVE-2024-37157 Discourse vulnerable to Server-Side Request Forgery via FastImage — discourseCWE-918 6.4 Medium2024-07-03
CVE-2024-36122 Discourse doesn't limit reviewable user serializer payload — discourseCWE-200 2.4 Low2024-07-03
CVE-2024-36113 Discourse missing authorization checks for suspending admins/moderators — discourseCWE-862 4.9 Medium2024-07-03
CVE-2024-35234 Discourse vulnerable to stored-dom XSS via Facebook Oneboxes — discourseCWE-79 4.2 Medium2024-07-03
CVE-2024-35227 Discourse vulnerable to DoS through Onebox — discourseCWE-20 7.5 High2024-07-03
CVE-2024-35168 WordPress WP Discourse plugin <= 2.5.1 - Broken Access Control vulnerability — WP DiscourseCWE-862 4.3 Medium2024-06-11
CVE-2024-31219 Discourse-reactions' reaction data and public topic whisper content exposed on reactions given user activity page — discourse-reactionsCWE-200 4.3 Medium2024-04-15
CVE-2024-27085 Denial of service through invites in Discourse — discourseCWE-400 6.5 Medium2024-03-15
CVE-2024-27100 Denial of service via Staff Actions in Discourse — discourseCWE-400 6.5 Medium2024-03-15
CVE-2024-28242 Disclosure of the existence of secret categories with custom backgrounds in Discourse — discourseCWE-200 5.3 Medium2024-03-15
CVE-2024-24748 Disclosure of the existence of secret subcategories in Discourse — discourseCWE-200 5.3 Medium2024-03-15
CVE-2024-24827 No rate limits on POST /uploads endpoint in Discourse — discourseCWE-400 5.3 Medium2024-03-15
CVE-2024-24817 User can see invitees in events created in PMs and private categories — discourse-calendarCWE-200 4.3 Medium2024-02-22
CVE-2024-23654 discourse-ai admin-initiated SSRF when interacting with AI services — discourse-aiCWE-918 4.1 Medium2024-02-21
CVE-2024-26145 Uninvited user is able to join and mark the attendance of the the private event — discourse-calendarCWE-863 6.5 Medium2024-02-21
CVE-2023-46241 Potential account take over due to unverified emails from Microsoft Identity Platform — discourse-microsoft-authCWE-863 9.1 Critical2024-02-21
CVE-2024-24755 discourse-group-membership-ip-block is exposing potentially sensitive custom fields — discourse-group-membership-ip-blockCWE-200 4.3 Medium2024-02-01
CVE-2024-23834 Discourse improperly sanitized user input leads to XSS — discourseCWE-79 6.3 Medium2024-01-30
CVE-2023-49099 Discourse secure uploads accessible to guests even when login is required — discourseCWE-284 3.1 Low2024-01-12
CVE-2024-21655 Insufficient control of custom field value sizes — discourseCWE-400 4.3 Medium2024-01-12
CVE-2023-49098 Reaction data for user notifications exposed in Discourse-reactions — discourse-reactionsCWE-284 3.5 Low2024-01-12
CVE-2023-48297 Discourse vulnerable to unlimited mentioned users in message serializer — discourseCWE-400 8.6 High2024-01-12
CVE-2023-47121 Discourse SSRF vulnerability in Embedding — discourseCWE-918 3.4 Low2023-11-10
CVE-2023-47120 Discourse DoS through Onebox favicon URL — discourseCWE-770 7.5 High2023-11-10
CVE-2023-47119 HTML injection in oneboxed links — discourseCWE-74 5.3 Medium2023-11-10

This page lists every published CVE security advisory associated with Discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.