Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Top products by discourse: discourse discourse-calendar discourse-reactions discourse-chat discourse-ai discourse-policy discourse-code-review discourse-placeholder-theme-component WP Discourse discourse-microsoft-auth discourse-group-membership-ip-block discourse-jira discourse-encrypt discourse-yearly-review discourse-mermaid-theme-component discourse-bbcode discourse-patreon DiscoTOC discourse-assign message_bus discourse-footnote rails_multisite
CVE IDTitleCVSSSeverityPublished
CVE-2022-24804 Private group name exposure in discourse — discourseCWE-200 5.3 Medium2022-04-11
CVE-2022-24782 Secure category names leaked via user activity export in Discourse — discourseCWE-200 4.3 Medium2022-03-24
CVE-2022-23641 Denial of Service in Discourse — discourseCWE-835 6.5 Medium2022-02-15
CVE-2022-21677 Group advanced search option may leak group and group's members visibility — discourseCWE-200 4.3 Medium2022-01-14
CVE-2022-21684 User can bypass approval when invited to Discourse — discourseCWE-287 4.3 Medium2022-01-13
CVE-2022-21678 User's bio visible even if profile is restricted in Discourse — discourseCWE-200 4.3 Medium2022-01-13
CVE-2022-21642 Exposure of whisper participants in discourse — discourseCWE-200 4.3 Medium2022-01-05
CVE-2021-43850 Denial of Service in discourse — discourseCWE-20 6.8 Medium2022-01-04
CVE-2021-43840 Path traversal in message_bus — message_busCWE-22 4.4 Medium2021-12-17
CVE-2021-43827 Inline footnotes wrapped in <a> tags can cause errors in discourse-footnotes — discourse-footnoteCWE-755 4.3 Medium2021-12-14
CVE-2021-43793 Bypass of Poll voting limits in Discourse — discourseCWE-269 4.3 Medium2021-12-01
CVE-2021-43794 Anonymous user cache poisoning via development-mode header in Discourse — discourseCWE-610 5.3 Medium2021-12-01
CVE-2021-43792 Notifications leak in Discourse — discourseCWE-200 4.3 Medium2021-12-01
CVE-2021-41271 Cache poisoning via maliciously-formed request in discourse — discourseCWE-200 4.8 Medium2021-11-15
CVE-2021-41263 Secure/signed cookies share secrets between sites in rails_multisite — rails_multisiteCWE-200 8.3 High2021-11-15
CVE-2021-41163 RCE via malicious SNS subscription payload — discourseCWE-74 10.0 Critical2021-10-20
CVE-2021-41140 Reactions leak for secure category topics and private messages — discourse-reactionsCWE-668 5.3 Medium2021-10-19
CVE-2021-41095 XSS via blocked watched word in error message — discourseCWE-79 4.2 Medium2021-09-27
CVE-2021-41082 Private message title and participating users leaked in discourse — discourseCWE-200 7.5 High2021-09-20
CVE-2021-39161 Cross-site scripting via category name in Discourse — discourseCWE-79 4.4 Medium2021-08-26
CVE-2021-37703 Information exposure in Discourse — discourseCWE-200 4.3 Medium2021-08-13
CVE-2021-37693 Re-use of email tokens in Discourse — discourseCWE-640 5.3 Medium2021-08-13
CVE-2021-37633 XSS via d-popover and d-html-popover attribute — discourseCWE-79 7.4 High2021-08-09
CVE-2021-32788 Post creator of a whisper post can be revealed to non-staff users in Discourse — discourseCWE-668 4.3 Medium2021-07-27
CVE-2021-32764 YouTube Onebox susceptible to XSS — discourseCWE-79 8.1 High2021-07-15

This page lists every published CVE security advisory associated with discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.