Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

discourse — Vulnerabilities & Security Advisories 265

Browse all 265 CVE security advisories affecting discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Found 1 results / 265Clear Filters
Top products by discourse: discourse discourse-calendar discourse-reactions discourse-chat discourse-ai discourse-policy discourse-code-review discourse-placeholder-theme-component WP Discourse discourse-microsoft-auth discourse-group-membership-ip-block discourse-jira discourse-encrypt discourse-yearly-review discourse-mermaid-theme-component discourse-bbcode discourse-patreon DiscoTOC discourse-assign message_bus discourse-footnote rails_multisite
MediumCVE-2026-274812026-04-04
Hidden tag visibility bypass on tag routes · Advisory · discourse/discourse · GitHub
LowCVE-2026-348472026-04-04
Staged user custom fields are exposed on public invite pages · Advisory · discourse/discourse · GitHub
High2026-04-02
SECURITY: Check topic visibility in Oneboxer even when categories match · discourse/discourse@0b4e6ff · GitHub
High2026-04-02
SECURITY: XSS on category description update via API · discourse/discourse@05e3da2 · GitHub
Medium2026-04-02
SECURITY: Respect group visibility in category chatables when accesse… · discourse/discourse@07f6665 · GitHub
Medium2026-04-02
SECURITY: Missing post-level authorization allows whisper metadata di… · discourse/discourse@bf8dbf6 · GitHub
Medium2026-04-02
SECURITY: Stored XSS in discourse-ai shared conversations onebox · discourse/discourse@cac7d61 · GitHub
HighCVE-2024-381782026-04-02
SECURITY: Scope sentiment posts endpoint to allowed categories · discourse/discourse@e1bb146 · GitHub
Unknown2026-04-02
SECURITY: unauthorized channel membership inference · discourse/discourse@81fd89e · GitHub
Medium2026-04-02
Open redirect via `sso_destination_url` cookie in `enter` · Advisory · discourse/discourse · GitHub
HighCVE-2024-300742026-04-02
Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions · Advisory · d
Medium2026-04-02
Authorization bypass in oneboxer via user-controlled category id · Advisory · discourse/discourse · GitHub
HighCVE-2026-321432026-04-02
Admin-only report can be exported by moderators · Advisory · discourse/discourse · GitHub
MediumCVE-2026-022712026-04-02
XSS on category description update via API · Advisory · discourse/discourse · GitHub
HighCVE-2024-397312026-04-02
discourse-subscriptions plugin leaking stripe API key in multisite environment · Advisory · discourse/discourse · GitHub
MediumCVE-2026-391852026-04-02
Group SMTP test endpoint susceptible to SSRF · Advisory · discourse/discourse · GitHub
MediumCVE-2026-126192026-04-02
Insufficient topic visibility check allows unauthorized poll manipulation in private categories · Advisory · discourse/d
MediumCVE-2026-326202026-04-02
Missing post-level authorization allows whisper metadata disclosure · Advisory · discourse/discourse · GitHub
LowCVE-2026-384152026-04-02
Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure · Advisory · discourse/discourse ·
MediumCVE-2026-326152026-04-02
Category group moderators can perform actions on topics in restricted categories without read access · Advisory · discou

Showing up to 20 recent security advisories. View all →

This page lists every published CVE security advisory associated with discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.