Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Top products by discourse: discourse discourse-calendar discourse-reactions discourse-chat discourse-ai discourse-policy discourse-code-review discourse-placeholder-theme-component WP Discourse discourse-microsoft-auth discourse-group-membership-ip-block discourse-jira discourse-encrypt discourse-yearly-review discourse-mermaid-theme-component discourse-bbcode discourse-patreon DiscoTOC discourse-assign message_bus discourse-footnote rails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2026-30891 Discourse hasUnauthorized Exposure of Private User Action Types — discourseCWE-200 6.5 -2026-03-20
CVE-2026-30889 Discourse has Unauthorized Post Data Exposure in discourse-user-notes — discourseCWE-862 4.3 -2026-03-20
CVE-2026-30888 Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint — discourseCWE-269 2.2 Low2026-03-20
CVE-2026-33408 Discourse has Improper Authorization in "Post Edits" Report For Moderators — discourseCWE-862 2.2 Low2026-03-19
CVE-2026-33395 Discourse has stored click‑based XSS via Graphviz SVG javascript: links — discourseCWE-79 4.4 Medium2026-03-19
CVE-2026-33394 Discourse leaks PM post edits to moderators — discourseCWE-200 2.7 Low2026-03-19
CVE-2026-33393 Discourse fixes loose hostname matching in spam host allowlist — discourseCWE-284 4.3 Medium2026-03-19
CVE-2026-33355 Discourse filters whisper posts from private-posts feed — discourseCWE-200 6.5 Medium2026-03-19
CVE-2026-33410 Discourse hardens chat DM channel creation and expansion — discourseCWE-863 5.4 Medium2026-03-19
CVE-2026-32099 Discourse prevents hidden profile data leak via user onebox — discourseCWE-200 4.3 Medium2026-03-19
CVE-2026-29072 Discourse missing permission check for policy creation in discourse-policy — discourseCWE-862 4.3 -2026-03-19
CVE-2026-28282 Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin — discourseCWE-863 6.5 -2026-03-19
CVE-2026-27936 Discourse discloses restricted post-action counts to non-privileged users — discourseCWE-863 4.3 -2026-03-19
CVE-2026-27935 Discourse leaks private topic metadata to non-authorized users — discourseCWE-201 4.3 -2026-03-19
CVE-2026-27934 Discourse leaks private topic title and post excerpt via user action API endpoint — discourseCWE-201 4.3 -2026-03-19
CVE-2026-27740 Discourse has Stored XSS in AI Triage Automation — discourseCWE-79 5.4 -2026-03-19
CVE-2026-27570 Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox — discourseCWE-79 5.4 -2026-03-19
CVE-2026-27491 Discourse has a bypass of official warnings messages by non-staff users — discourseCWE-862 4.3 -2026-03-19
CVE-2026-27454 Discourse has check revision visibility on posts endpoint — discourseCWE-862 5.3 Medium2026-03-19
CVE-2026-27166 Discourse vulnerable to HTML injection via prohibited iframe URLs — discourseCWE-80 4.1 Medium2026-03-19
CVE-2026-28227 Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category — discourseCWE-863 4.3AIMediumAI2026-02-26
CVE-2026-28219 Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners — discourseCWE-915 4.3AIMediumAI2026-02-26
CVE-2026-28218 Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution — discourseCWE-284 8.8AIHighAI2026-02-26
CVE-2026-27154 Discourse has XSS when editing a malicious post — discourseCWE-79 5.4AIMediumAI2026-02-26
CVE-2026-27153 Discourse doesn't prevent moderators from exporting user Chat DMs — discourseCWE-863 5.4AIMediumAI2026-02-26
CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members — discourseCWE-284 4.3AIMediumAI2026-02-26
CVE-2026-27162 DIscourse doesn't prevent whispers to leak in excerpts — discourseCWE-200 4.3AIMediumAI2026-02-26
CVE-2026-27151 Discourse doesn't validate destination topic when moving posts — discourseCWE-862 4.3AIMediumAI2026-02-26
CVE-2026-27150 Discourse doesn't ensure guardian check when creating QueryGroupBookmark — discourseCWE-862 4.3AIMediumAI2026-02-26
CVE-2026-27149 Discourse has SQL injection in PM tag filtering — discourseCWE-89 6.5AIMediumAI2026-02-26

This page lists every published CVE security advisory associated with discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.