Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting Discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Top products by Discourse: discourse discourse-calendar discourse-reactions discourse-chat discourse-ai discourse-policy discourse-code-review discourse-placeholder-theme-component WP Discourse discourse-microsoft-auth discourse-group-membership-ip-block discourse-jira discourse-encrypt discourse-yearly-review discourse-mermaid-theme-component discourse-bbcode discourse-patreon DiscoTOC discourse-assign message_bus discourse-footnote rails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2022-46180 Arbitrary HTML injection in discourse-mermaid-theme-component — discourse-mermaid-theme-componentCWE-74 5.0 Medium2023-01-04
CVE-2022-46159 Any authenticated Discourse user can create an unlisted topic — discourseCWE-770 4.3 Medium2022-12-02
CVE-2022-46162 Discourse BBCode plugin vulnerable to arbitrary CSS injection — discourse-bbcodeCWE-74 8.8 High2022-11-30
CVE-2022-46148 Discourse allows self-XSS through malicious composer message — discourseCWE-79 7.1 High2022-11-29
CVE-2022-46150 Discourse may allow exposure of hidden tags in the subject of notification emails — discourseCWE-200 4.3 Medium2022-11-29
CVE-2022-41921 Discourse chat messages should have a maximum character limit — discourseCWE-20 3.5 Low2022-11-28
CVE-2022-41944 Discourse users can see notifications for topics they no longer have access to — discourseCWE-200 3.5 Low2022-11-28
CVE-2022-39385 Users erroneously and transparently added to private messages in Discourse — discourseCWE-200 6.5 Medium2022-11-14
CVE-2022-41913 Discourse-calendar exposes members of hidden groups — discourse-calendarCWE-200 4.3 Medium2022-11-14
CVE-2022-39241 Possible Server-Side Request Forgery (SSRF) in webhooks — discourseCWE-918 7.6 High2022-11-02
CVE-2022-39356 Discourse user account takeover via email and invite link — discourseCWE-285 8.9 High2022-11-02
CVE-2022-39378 Displaying user badges can leak topic titles to users that have no access to the topic — discourseCWE-200 5.3 Medium2022-11-02
CVE-2022-39355 Discourse Patreon vulnerable to improper validation of email during Patreon authentication — discourse-patreonCWE-287 9.1 Critical2022-10-26
CVE-2022-39270 Arbitrary HTML injection in table-of-contents theme component in DiscoTOC — DiscoTOCCWE-79 5.4 Medium2022-10-06
CVE-2022-39279 Discourse-chat plugin susceptible to XSS in channel name and description — discourse-chatCWE-79 4.3 Medium2022-10-06
CVE-2022-39232 Discourse vulnerable to incomplete quote causing a topic to crash in the browser — discourseCWE-20 6.5 Medium2022-09-29
CVE-2022-39226 Discourse user profile location and website fields were not sufficiently length-limited — discourseCWE-770 4.3 Medium2022-09-29
CVE-2022-36068 Discourse moderators can edit themes via the API — discourseCWE-862 7.2 High2022-09-29
CVE-2022-36066 Discourse vulnerable to RCE via admins uploading maliciously zipped file — discourseCWE-434 9.1 Critical2022-09-29
CVE-2022-36057 Discourse-Chat Cross-Site Scripting issue for channel names and descriptions — discourse-chatCWE-80 5.4 Medium2022-09-06
CVE-2022-31184 Email activation route can be abused by spammers in Discourse — discourseCWE-770 6.5 Medium2022-08-01
CVE-2022-31182 Cache poisoning via maliciously-formed request in Discourse — discourseCWE-404 5.3 Medium2022-08-01
CVE-2022-31096 Invites restricted to an email or invite links restricted to an email domain may be bypassed by a under certain conditions in Discourse — discourseCWE-281 5.7 Medium2022-06-27
CVE-2022-31095 Exposure of Sensitive Information in discourse-chat — discourse-chatCWE-200 4.3 Medium2022-06-21
CVE-2022-31060 Banner topic data is exposed on login-required Discourse sites — discourseCWE-200 5.3 Medium2022-06-14
CVE-2022-31059 Discourse Calendar Event names susceptible to Cross-site Scripting — discourse-calendarCWE-79 6.5 Medium2022-06-14
CVE-2022-31025 Invite bypasses user approval in Discourse — discourseCWE-285 2.6 Low2022-06-03
CVE-2022-24866 Exposure of Sensitive Information to an Unauthorized Actor in Discourse Assign — discourse-assignCWE-200 4.3 Medium2022-04-26
CVE-2022-24850 Category group permissions leaked in Discourse — discourseCWE-200 5.3 Medium2022-04-14
CVE-2022-24824 Anonymous user cache poisoning in discourse — discourseCWE-829 5.3 Medium2022-04-14

This page lists every published CVE security advisory associated with Discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.