Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting Discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Top products by Discourse: discourse discourse-calendar discourse-reactions discourse-chat discourse-ai discourse-policy discourse-code-review discourse-placeholder-theme-component WP Discourse discourse-microsoft-auth discourse-group-membership-ip-block discourse-jira discourse-encrypt discourse-yearly-review discourse-mermaid-theme-component discourse-bbcode discourse-patreon DiscoTOC discourse-assign message_bus discourse-footnote rails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2023-30606 Multisite denial of service through unsanitized dynamic dispatch to SiteSetting in Discourse — discourseCWE-732 4.2 Medium2023-04-18
CVE-2023-30538 Stored Cross-site Scripting via improper sanitization of svg files in Discourse — discourseCWE-79 5.4 Medium2023-04-18
CVE-2023-29196 HTML injection via topic embedding in Discourse — discourseCWE-79 4.2 Medium2023-04-18
CVE-2023-28440 Denial of service via admin theme import route in Discourse — discourseCWE-400 2.7 Low2023-04-18
CVE-2023-28112 Discourse's SSRF protection missing for some FastImage requests — discourseCWE-918 5.9 Medium2023-03-17
CVE-2023-28111 Discourse vulnerable to SSRF protection bypass possible with IPv4-mapped IPv6 addresses — discourseCWE-918 5.7 Medium2023-03-17
CVE-2023-28107 Discourse vulnerable to multisite DoS by spamming backups — discourseCWE-770 4.5 Medium2023-03-17
CVE-2023-25172 Discourse vulnerable to Cross-site Scripting - user name displayed on post — discourseCWE-79 4.4 Medium2023-03-17
CVE-2023-26040 Discourse chat messages susceptible to Cross-site Scripting through chat excerpts — discourseCWE-79 6.5 Medium2023-03-17
CVE-2023-23622 Discourse: Presence of read restricted topics may be leaked if tagged with a tag that is visible to all users — discourseCWE-200 4.3 Medium2023-03-17
CVE-2023-23935 Presence of restricted personal Discourse messages may be leaked if tagged with a tag — discourseCWE-200 3.5 Low2023-03-16
CVE-2023-25169 Yearly Review Plugin leaking anonymised users data in discourse-yearly-review — discourse-yearly-reviewCWE-200 3.1 Low2023-03-06
CVE-2023-25819 Discourse tags with no visibility are leaking into og:article:tag — discourseCWE-359 5.3 Medium2023-03-04
CVE-2023-25167 Regular expression denial of service via installing themes via git in discourse — discourseCWE-1333 6.5 Medium2023-02-08
CVE-2023-23615 Malicious users in Discourse can create spam topics as any user due to improper access control — discourseCWE-284 5.3 Medium2023-02-03
CVE-2023-23624 Discourse's exclude_tags param could leak which topics had a specific hidden tag — discourseCWE-200 4.3 Medium2023-01-27
CVE-2023-23621 Discourse vulnerable to ReDoS in user agent parsing — discourseCWE-1333 8.6 High2023-01-27
CVE-2023-22740 Discourse vulnerable to Allocation of Resources Without Limits via Chat drafts — discourseCWE-770 4.3 Medium2023-01-27
CVE-2023-23616 Discourse membership requests lack character limit — discourseCWE-400 3.5 Low2023-01-27
CVE-2023-23620 Discourse restricted tag routes leak topic information — discourseCWE-200 5.3 Medium2023-01-27
CVE-2023-22739 Discourse subject to Allocation of Resources Without Limits or Throttling — discourseCWE-770 6.5 Medium2023-01-26
CVE-2023-22468 Discourse vulnerable to Cross-site Scripting in local oneboxes — discourseCWE-79 8.8 High2023-01-26
CVE-2023-22455 Discourse vulnerable to Cross-site Scripting through tag descriptions — discourseCWE-79 6.8 Medium2023-01-05
CVE-2023-22454 Discourse vulnerable to Cross-site Scripting through pending post titles descriptions — discourseCWE-79 8.0 High2023-01-05
CVE-2023-22453 Discourse vulnerable to exposure of user post counts per topic to unauthorized users — discourseCWE-200 5.3 Medium2023-01-05
CVE-2022-46177 Discourse password reset link can lead to in account takeover if user changes to a new email — discourseCWE-613 5.7 Medium2023-01-05
CVE-2022-23546 Discourse vulnerable to private topic leak via email#send_digest — discourseCWE-200 5.5 Medium2023-01-05
CVE-2022-46168 Group SMTP user emails are exposed in CC email header — discourseCWE-359 3.5 Low2023-01-05
CVE-2022-23548 Discourse 跨站脚本漏洞 — discourseCWE-1333 6.5 Medium2023-01-05
CVE-2022-23549 Discourse vulnerable to bypass of post max_length using HTML comments — discourseCWE-20 5.7 Medium2023-01-05

This page lists every published CVE security advisory associated with Discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.