Discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting Discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

CVE ID	Title	CVSS	Severity	Published
CVE-2023-23620	Discourse restricted tag routes leak topic information — discourseCWE-200	5.3	Medium	2023-01-27
CVE-2023-22739	Discourse subject to Allocation of Resources Without Limits or Throttling — discourseCWE-770	6.5	Medium	2023-01-26
CVE-2023-22468	Discourse vulnerable to Cross-site Scripting in local oneboxes — discourseCWE-79	8.8	High	2023-01-26
CVE-2023-22455	Discourse vulnerable to Cross-site Scripting through tag descriptions — discourseCWE-79	6.8	Medium	2023-01-05
CVE-2023-22454	Discourse vulnerable to Cross-site Scripting through pending post titles descriptions — discourseCWE-79	8.0	High	2023-01-05
CVE-2023-22453	Discourse vulnerable to exposure of user post counts per topic to unauthorized users — discourseCWE-200	5.3	Medium	2023-01-05
CVE-2022-46177	Discourse password reset link can lead to in account takeover if user changes to a new email — discourseCWE-613	5.7	Medium	2023-01-05
CVE-2022-23546	Discourse vulnerable to private topic leak via email#send_digest — discourseCWE-200	5.5	Medium	2023-01-05
CVE-2022-46168	Group SMTP user emails are exposed in CC email header — discourseCWE-359	3.5	Low	2023-01-05
CVE-2022-23548	Discourse 跨站脚本漏洞 — discourseCWE-1333	6.5	Medium	2023-01-05
CVE-2022-23549	Discourse vulnerable to bypass of post max_length using HTML comments — discourseCWE-20	5.7	Medium	2023-01-05
CVE-2022-46159	Any authenticated Discourse user can create an unlisted topic — discourseCWE-770	4.3	Medium	2022-12-02
CVE-2022-46148	Discourse allows self-XSS through malicious composer message — discourseCWE-79	7.1	High	2022-11-29
CVE-2022-46150	Discourse may allow exposure of hidden tags in the subject of notification emails — discourseCWE-200	4.3	Medium	2022-11-29
CVE-2022-41921	Discourse chat messages should have a maximum character limit — discourseCWE-20	3.5	Low	2022-11-28
CVE-2022-41944	Discourse users can see notifications for topics they no longer have access to — discourseCWE-200	3.5	Low	2022-11-28
CVE-2022-39385	Users erroneously and transparently added to private messages in Discourse — discourseCWE-200	6.5	Medium	2022-11-14
CVE-2022-39241	Possible Server-Side Request Forgery (SSRF) in webhooks — discourseCWE-918	7.6	High	2022-11-02
CVE-2022-39356	Discourse user account takeover via email and invite link — discourseCWE-285	8.9	High	2022-11-02
CVE-2022-39378	Displaying user badges can leak topic titles to users that have no access to the topic — discourseCWE-200	5.3	Medium	2022-11-02
CVE-2022-39232	Discourse vulnerable to incomplete quote causing a topic to crash in the browser — discourseCWE-20	6.5	Medium	2022-09-29
CVE-2022-39226	Discourse user profile location and website fields were not sufficiently length-limited — discourseCWE-770	4.3	Medium	2022-09-29
CVE-2022-36068	Discourse moderators can edit themes via the API — discourseCWE-862	7.2	High	2022-09-29
CVE-2022-36066	Discourse vulnerable to RCE via admins uploading maliciously zipped file — discourseCWE-434	9.1	Critical	2022-09-29
CVE-2022-31184	Email activation route can be abused by spammers in Discourse — discourseCWE-770	6.5	Medium	2022-08-01
CVE-2022-31182	Cache poisoning via maliciously-formed request in Discourse — discourseCWE-404	5.3	Medium	2022-08-01
CVE-2022-31096	Invites restricted to an email or invite links restricted to an email domain may be bypassed by a under certain conditions in Discourse — discourseCWE-281	5.7	Medium	2022-06-27
CVE-2022-31060	Banner topic data is exposed on login-required Discourse sites — discourseCWE-200	5.3	Medium	2022-06-14
CVE-2022-31025	Invite bypasses user approval in Discourse — discourseCWE-285	2.6	Low	2022-06-03
CVE-2022-24850	Category group permissions leaked in Discourse — discourseCWE-200	5.3	Medium	2022-04-14

This page lists every published CVE security advisory associated with Discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Discourse — Vulnerabilities & Security Advisories 265