Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

discourse — Vulnerabilities & Security Advisories 290

Browse all 290 CVE security advisories affecting discourse. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Discourse is an open-source discussion platform primarily utilized for community forums and online communities. Its architecture, built on Ruby on Rails and Ember.js, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation flaws, often stemming from improper input validation or insecure deserialization. While the platform employs modern security practices like Content Security Policy and automated testing, its complexity and extensive plugin ecosystem create a broad attack surface. Notable incidents have included arbitrary file read vulnerabilities and session fixation issues, prompting rapid patches from the core team. The high volume of CVEs reflects the software’s active development cycle and the rigorous scrutiny applied to its codebase, rather than inherent systemic failure. Administrators must prioritize regular updates and strict plugin management to mitigate these risks effectively.

Medium2026-07-10
SECURITY: Escape second factor name in delete confirmation dialog · discourse/discourse@40de62c · GitHub
Medium2026-07-10
SECURITY: Escape second factor name in delete confirmation dialog [ba… · discourse/discourse@d92973e · GitHub
Medium2026-07-10
SECURITY: Escape second factor name in delete confirmation dialog [ba… · discourse/discourse@529e17d · GitHub
High2026-07-10
SECURITY: Prevent any signed AWS SNS TopicARN from being accepted via… · discourse/discourse@3a3d315 · GitHub
Medium2026-07-10
SECURITY: Escape second factor name in delete confirmation dialog [ba… · discourse/discourse@daea521 · GitHub
High2026-07-10
SECURITY: Prevent any signed AWS SNS TopicARN from being accepted via… · discourse/discourse@61f12e1 · GitHub
MediumCVE-2026-539612026-07-10
Forged AWS SNS bounce notifications can disable a targeted user's email (missing TopicArn binding) · Advisory · discours
High2026-07-10
SECURITY: Prevent any signed AWS SNS TopicARN from being accepted via… · discourse/discourse@958f0cd · GitHub
Medium2026-07-10
SECURITY: Prevent any signed AWS SNS TopicARN from being accepted via… · discourse/discourse@aea3519 · GitHub
High2026-07-10
SECURITY: Improve SVG sanitization [backport 2026.1] · discourse/discourse@3ee8343 · GitHub
High2026-07-10
SECURITY: Improve SVG sanitization · discourse/discourse@92a699d · GitHub
High2026-07-10
SECURITY: Improve SVG sanitization [backport 2026.4] · discourse/discourse@810c271 · GitHub
High2026-07-10
SECURITY: Improve SVG sanitization [backport 2026.5] · discourse/discourse@b8ceb49 · GitHub
Medium2026-07-10
SECURITY: Gate private event invitee details [backport 2026.1] · discourse/discourse@3796950 · GitHub
Medium2026-07-10
SECURITY: Gate private event invitee details · discourse/discourse@4d46638 · GitHub
Medium2026-07-10
SECURITY: Gate private event invitee details [backport 2026.5] · discourse/discourse@7deb4b6 · GitHub
High2026-07-10
SECURITY: Gate private event invitee details [backport 2026.4] · discourse/discourse@6457ab7 · GitHub
Medium2026-07-10
SECURITY: Authorize secure-upload hotlink downloads against post user… · discourse/discourse@8b4a959 · GitHub
High2026-07-10
SECURITY: Authorize secure-upload hotlink downloads against post user… · discourse/discourse@5807c42 · GitHub
High2026-07-10
SECURITY: Authorize secure-upload hotlink downloads against post user · discourse/discourse@fa74e0d · GitHub

Showing up to 20 recent security advisories. View all →

This page lists every published CVE security advisory associated with discourse. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.