Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting Discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Top products by Discourse: discourse discourse-calendar discourse-reactions discourse-chat discourse-ai discourse-policy discourse-code-review discourse-placeholder-theme-component WP Discourse discourse-microsoft-auth discourse-group-membership-ip-block discourse-jira discourse-encrypt discourse-yearly-review discourse-mermaid-theme-component discourse-bbcode discourse-patreon DiscoTOC discourse-assign message_bus discourse-footnote rails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2023-46130 Bypassing height value allowed in some theme components — discourseCWE-770 4.3 Medium2023-11-10
CVE-2023-45816 Unread bookmark reminder notifications that the user cannot access can be seen — discourseCWE-200 3.3 Low2023-11-10
CVE-2023-45806 Discourse vulnerable to DoS via Regexp Injection in Full Name — discourseCWE-1333 4.3 Medium2023-11-10
CVE-2023-43658 Improper escaping of user input in discourse-calendar — discourse-calendarCWE-79 8.0 High2023-10-16
CVE-2023-45131 Unauthenticated access to new private chat messages in Discourse — discourseCWE-200 7.5 High2023-10-16
CVE-2023-44391 Prevent unauthorized access to summary details in Discourse — discourseCWE-200 5.3 Medium2023-10-16
CVE-2023-44388 Malicious requests can fill up the log files resulting in a deinal of service in Discourse — discourseCWE-400 7.5 High2023-10-16
CVE-2023-43814 Exposure of poll options and votes to unauthorized users in Discourse — discourseCWE-200 3.7 Low2023-10-16
CVE-2023-43659 Cross-site Scripting via email preview when CSP disabled in Discourse — discourseCWE-79 8.0 High2023-10-16
CVE-2023-45147 Arbitrary keys can be added to a topic's custom fields by any user in Discourse — discourseCWE-200 4.9 Medium2023-10-16
CVE-2023-44384 Discourse-Jira could make SSRF attack by setting Jira URL to an arbitrary location — discourse-jiraCWE-691 4.1 Medium2023-10-06
CVE-2023-43657 Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration — discourse-encryptCWE-79 7.2 High2023-09-28
CVE-2023-41043 Discourse DoS via SvgSprite cache — discourseCWE-770 6.5 Medium2023-09-15
CVE-2023-41042 Discourse DoS via remote theme assets — discourseCWE-770 4.9 Medium2023-09-15
CVE-2023-40588 Discourse DoS via 2FA and Security Key Names — discourseCWE-770 6.5 Medium2023-09-15
CVE-2023-38706 Discourse vulnerable to DoS via drafts — discourseCWE-770 6.5 Medium2023-09-15
CVE-2023-38685 Discourse's restricted tag information visible to unauthenticated users — discourseCWE-200 4.3 Medium2023-07-28
CVE-2023-38684 Discourse vulnerable to ossible DDoS due to unbounded limits in various controller actions — discourseCWE-770 5.3 Medium2023-07-28
CVE-2023-38498 Discourse vulnerable to DoS via defer queue — discourseCWE-400 4.3 Medium2023-07-28
CVE-2023-37906 Discourse vulnerable to DoS via post edit reason — discourseCWE-770 4.3 Medium2023-07-28
CVE-2023-37904 Discourse Race Condition in Accept Invite — discourseCWE-362 2.6 Low2023-07-28
CVE-2023-37467 Discourse CSP nonce reuse vulnerability for anonymous users — discourseCWE-323 6.8 Medium2023-07-28
CVE-2023-36818 Denial of service via User Custom Sidebar Section Unlimited Link Creation in discourse — discourseCWE-400 6.5 Medium2023-07-14
CVE-2023-36466 Topic Title Validation Skipped When Changing Category in Discourse — discourseCWE-20 3.5 Low2023-07-14
CVE-2023-36473 CSP nonce reuse vulnerability in Discourse — discourseCWE-79 6.8 Medium2023-07-13
CVE-2023-34250 Discourse vulnerable to exposure of number of topics recently created in private categories — discourseCWE-200 4.8 Medium2023-06-13
CVE-2023-32301 Discourse's canonical url not being used for topic embeddings — discourseCWE-116 3.1 Low2023-06-13
CVE-2023-32061 Discourse Topic Creation Page Allows iFrame Tag without Restrictions — discourseCWE-863 5.4 Medium2023-06-13
CVE-2023-31142 Discourse's general category permissions could be set back to default — discourseCWE-732 2.0 Low2023-06-13
CVE-2023-30611 Reaction metadata exposed in private topics in Discourse-reactions — discourse-reactionsCWE-200 4.3 Medium2023-04-19

This page lists every published CVE security advisory associated with Discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.