Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
526 vulnerabilities found for discourse by discourse
CVE-2026-59828 (GCVE-0-2026-59828)
Vulnerability from nvd – Published: 2026-07-09 22:04 – Updated: 2026-07-10 14:17
VLAI
EPSS
VEX
Title
Discourse: Hidden post revisions leak through adjacent visible diffs
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSerializer. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/1f2… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/8b7… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/8d3… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/d58… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:17:36.503953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:17:45.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSerializer. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:04:50.777Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-q456-4f8q-42vx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-q456-4f8q-42vx"
},
{
"name": "https://github.com/discourse/discourse/commit/1f26c1163ce87a2abbd1d01780ab1b5fb16e75f6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1f26c1163ce87a2abbd1d01780ab1b5fb16e75f6"
},
{
"name": "https://github.com/discourse/discourse/commit/8b773332b0f937dfcd894ed56d56fc5a81578d9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/8b773332b0f937dfcd894ed56d56fc5a81578d9d"
},
{
"name": "https://github.com/discourse/discourse/commit/8d36da1b68c906592abde3f2e94d505cdf097435",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/8d36da1b68c906592abde3f2e94d505cdf097435"
},
{
"name": "https://github.com/discourse/discourse/commit/d58988d46bb1019bfa8b8330ae81a1a134e08511",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/d58988d46bb1019bfa8b8330ae81a1a134e08511"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-q456-4f8q-42vx",
"discovery": "UNKNOWN"
},
"title": "Discourse: Hidden post revisions leak through adjacent visible diffs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59828",
"datePublished": "2026-07-09T22:04:50.777Z",
"dateReserved": "2026-07-07T15:00:50.979Z",
"dateUpdated": "2026-07-10T14:17:45.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55424 (GCVE-0-2026-55424)
Vulnerability from nvd – Published: 2026-07-09 22:01 – Updated: 2026-07-10 14:40
VLAI
EPSS
VEX
Title
Discourse: Topic featured link susceptible to stored XSS
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/1bc… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/667… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/682… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/c9b… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:39:57.512653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:40:09.311Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic \"featured link\" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:01:22.249Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-695w-7fv8-mxg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-695w-7fv8-mxg3"
},
{
"name": "https://github.com/discourse/discourse/commit/1bce8881e4253d9bbab56f011a12ef899b926b59",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1bce8881e4253d9bbab56f011a12ef899b926b59"
},
{
"name": "https://github.com/discourse/discourse/commit/6679d9a5083488bae10c2adbb345c481c583242c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6679d9a5083488bae10c2adbb345c481c583242c"
},
{
"name": "https://github.com/discourse/discourse/commit/6828aee9b15c2655d63b515ac919830bd540ff83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6828aee9b15c2655d63b515ac919830bd540ff83"
},
{
"name": "https://github.com/discourse/discourse/commit/c9b9405f5bd0bf0269e505e28e3aad388d7657c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/c9b9405f5bd0bf0269e505e28e3aad388d7657c5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-695w-7fv8-mxg3",
"discovery": "UNKNOWN"
},
"title": "Discourse: Topic featured link susceptible to stored XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55424",
"datePublished": "2026-07-09T22:01:22.249Z",
"dateReserved": "2026-06-16T21:48:43.126Z",
"dateUpdated": "2026-07-10T14:40:09.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53963 (GCVE-0-2026-53963)
Vulnerability from nvd – Published: 2026-07-09 22:05 – Updated: 2026-07-09 22:05
VLAI
EPSS
VEX
Title
Discourse: Stored-XSS in 2FA delete confirmation modal
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/40d… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/529… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/d92… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/dae… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:05:46.329Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-wg5x-7f23-m3r5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-wg5x-7f23-m3r5"
},
{
"name": "https://github.com/discourse/discourse/commit/40de62cddadc65c328a1028ab999f3fa94adbfed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/40de62cddadc65c328a1028ab999f3fa94adbfed"
},
{
"name": "https://github.com/discourse/discourse/commit/529e17d4d570a48972e7cf64720e5dd1fdf23ca8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/529e17d4d570a48972e7cf64720e5dd1fdf23ca8"
},
{
"name": "https://github.com/discourse/discourse/commit/d92973e51a46cf6dd20c71e6068e6769b67eea5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/d92973e51a46cf6dd20c71e6068e6769b67eea5b"
},
{
"name": "https://github.com/discourse/discourse/commit/daea5214d833eacbdd3b1a78d99eb14e9cabd915",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/daea5214d833eacbdd3b1a78d99eb14e9cabd915"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-wg5x-7f23-m3r5",
"discovery": "UNKNOWN"
},
"title": "Discourse: Stored-XSS in 2FA delete confirmation modal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53963",
"datePublished": "2026-07-09T22:05:46.329Z",
"dateReserved": "2026-06-11T15:50:01.282Z",
"dateUpdated": "2026-07-09T22:05:46.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53962 (GCVE-0-2026-53962)
Vulnerability from nvd – Published: 2026-07-09 22:02 – Updated: 2026-07-09 22:02
VLAI
EPSS
VEX
Title
Discourse: Insufficient SVG sanitization logic
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/3ee… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/810… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/92a… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/b8c… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:02:27.430Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-jmcf-3367-78vv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-jmcf-3367-78vv"
},
{
"name": "https://github.com/discourse/discourse/commit/3ee8343cd7f00d59d8513bee0a12e02d50bfc358",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/3ee8343cd7f00d59d8513bee0a12e02d50bfc358"
},
{
"name": "https://github.com/discourse/discourse/commit/810c2715799fd08b06fd6ffc664d9562fe9ea6ff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/810c2715799fd08b06fd6ffc664d9562fe9ea6ff"
},
{
"name": "https://github.com/discourse/discourse/commit/92a699d89b84685b6fdd63cd0d0e371793c69dad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/92a699d89b84685b6fdd63cd0d0e371793c69dad"
},
{
"name": "https://github.com/discourse/discourse/commit/b8ceb49f4ba52257be30eb3c2ce51a5bf03be5fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/b8ceb49f4ba52257be30eb3c2ce51a5bf03be5fe"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-jmcf-3367-78vv",
"discovery": "UNKNOWN"
},
"title": "Discourse: Insufficient SVG sanitization logic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53962",
"datePublished": "2026-07-09T22:02:27.430Z",
"dateReserved": "2026-06-11T15:50:01.282Z",
"dateUpdated": "2026-07-09T22:02:27.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53961 (GCVE-0-2026-53961)
Vulnerability from nvd – Published: 2026-07-09 21:48 – Updated: 2026-07-10 13:44
VLAI
EPSS
VEX
Title
Discourse: Forged AWS SNS bounce notifications can disable a targeted user's email (missing TopicArn binding)
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/3a3… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/61f… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/958… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/aea… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T13:44:24.781167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T13:44:30.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:49:00.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-8f9m-v436-wr3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-8f9m-v436-wr3x"
},
{
"name": "https://github.com/discourse/discourse/commit/3a3d315a85ef3c6aabfc7e7bb38702059784f06b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/3a3d315a85ef3c6aabfc7e7bb38702059784f06b"
},
{
"name": "https://github.com/discourse/discourse/commit/61f12e13aa1b760f81d5ff60f12e3a7e77434b94",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/61f12e13aa1b760f81d5ff60f12e3a7e77434b94"
},
{
"name": "https://github.com/discourse/discourse/commit/958f0cd831d65a49ec75f05343ca2c167679f0ea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/958f0cd831d65a49ec75f05343ca2c167679f0ea"
},
{
"name": "https://github.com/discourse/discourse/commit/aea35190791261bab258ebab05da279e78cdd0e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/aea35190791261bab258ebab05da279e78cdd0e6"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-8f9m-v436-wr3x",
"discovery": "UNKNOWN"
},
"title": "Discourse: Forged AWS SNS bounce notifications can disable a targeted user\u0027s email (missing TopicArn binding)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53961",
"datePublished": "2026-07-09T21:48:11.449Z",
"dateReserved": "2026-06-11T15:50:01.282Z",
"dateUpdated": "2026-07-10T13:44:30.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49256 (GCVE-0-2026-49256)
Vulnerability from nvd – Published: 2026-07-09 21:56 – Updated: 2026-07-10 13:39
VLAI
EPSS
VEX
Title
Discourse: Hidden tag names leaked via category serializers
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T13:39:15.102132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T13:39:27.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:56:40.444Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-mwp7-572g-6qpx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-mwp7-572g-6qpx"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-mwp7-572g-6qpx",
"discovery": "UNKNOWN"
},
"title": "Discourse: Hidden tag names leaked via category serializers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49256",
"datePublished": "2026-07-09T21:56:40.444Z",
"dateReserved": "2026-05-28T14:33:01.179Z",
"dateUpdated": "2026-07-10T13:39:27.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46413 (GCVE-0-2026-46413)
Vulnerability from nvd – Published: 2026-07-09 21:55 – Updated: 2026-07-10 14:32
VLAI
EPSS
VEX
Title
Discourse: Regular users can route multipart uploads into the admin backup store
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/1f1… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/7dd… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/a53… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/aba… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:32:30.407572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:32:39.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:55:45.096Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7"
},
{
"name": "https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0"
},
{
"name": "https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40"
},
{
"name": "https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d"
},
{
"name": "https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-3mvf-q9rg-w6m7",
"discovery": "UNKNOWN"
},
"title": "Discourse: Regular users can route multipart uploads into the admin backup store"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46413",
"datePublished": "2026-07-09T21:55:45.096Z",
"dateReserved": "2026-05-13T21:04:10.933Z",
"dateUpdated": "2026-07-10T14:32:39.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45788 (GCVE-0-2026-45788)
Vulnerability from nvd – Published: 2026-07-09 21:59 – Updated: 2026-07-10 14:39
VLAI
EPSS
VEX
Title
Discourse: Secure uploads exposed by hotlinked image copying
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload URL and the secure_uploads site setting was enabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/580… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/8b4… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/eff… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/fa7… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:39:07.478798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:39:14.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload URL and the secure_uploads site setting was enabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:59:27.495Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-3876-w96v-8v38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-3876-w96v-8v38"
},
{
"name": "https://github.com/discourse/discourse/commit/5807c426880eadf248006e851604fc9284327ce5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/5807c426880eadf248006e851604fc9284327ce5"
},
{
"name": "https://github.com/discourse/discourse/commit/8b4a959b251a856a9c911fb9f2ac34fbc31a7471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/8b4a959b251a856a9c911fb9f2ac34fbc31a7471"
},
{
"name": "https://github.com/discourse/discourse/commit/eff53af26367ae0dcb3a426954d233e8c7449f95",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/eff53af26367ae0dcb3a426954d233e8c7449f95"
},
{
"name": "https://github.com/discourse/discourse/commit/fa74e0dec7341a858ab83a1977fa52629bced1aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/fa74e0dec7341a858ab83a1977fa52629bced1aa"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-3876-w96v-8v38",
"discovery": "UNKNOWN"
},
"title": "Discourse: Secure uploads exposed by hotlinked image copying"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45788",
"datePublished": "2026-07-09T21:59:27.495Z",
"dateReserved": "2026-05-13T08:19:32.602Z",
"dateUpdated": "2026-07-10T14:39:14.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45780 (GCVE-0-2026-45780)
Vulnerability from nvd – Published: 2026-07-09 22:08 – Updated: 2026-07-09 22:08
VLAI
EPSS
VEX
Title
Discourse: Private event sample invitees are serialized to non-invited event viewers
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/379… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/4d4… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/645… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/7de… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:08:52.125Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7"
},
{
"name": "https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1"
},
{
"name": "https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586"
},
{
"name": "https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023"
},
{
"name": "https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-22v7-6wgj-g9f7",
"discovery": "UNKNOWN"
},
"title": "Discourse: Private event sample invitees are serialized to non-invited event viewers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45780",
"datePublished": "2026-07-09T22:08:52.125Z",
"dateReserved": "2026-05-13T07:45:21.252Z",
"dateUpdated": "2026-07-09T22:08:52.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44787 (GCVE-0-2026-44787)
Vulnerability from nvd – Published: 2026-07-09 22:03 – Updated: 2026-07-09 22:03
VLAI
EPSS
VEX
Title
Discourse: Signup-time primary_group_id assignment grants whisperer access
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
8.2 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/012… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/0f5… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/541… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/6fc… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:03:41.409Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-vmwq-jvxx-jwfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-vmwq-jvxx-jwfx"
},
{
"name": "https://github.com/discourse/discourse/commit/012796ac28c85b30aa233c5ef042fc66efff8126",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/012796ac28c85b30aa233c5ef042fc66efff8126"
},
{
"name": "https://github.com/discourse/discourse/commit/0f50a07a6ef4b33f3f826ce6d7bf6d7bd16912d8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/0f50a07a6ef4b33f3f826ce6d7bf6d7bd16912d8"
},
{
"name": "https://github.com/discourse/discourse/commit/5418e3027dba109e27a4796463686d61e190ac29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/5418e3027dba109e27a4796463686d61e190ac29"
},
{
"name": "https://github.com/discourse/discourse/commit/6fc7e6cf04422fc3f9d1c99134803071e983ff0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6fc7e6cf04422fc3f9d1c99134803071e983ff0a"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-vmwq-jvxx-jwfx",
"discovery": "UNKNOWN"
},
"title": "Discourse: Signup-time primary_group_id assignment grants whisperer access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44787",
"datePublished": "2026-07-09T22:03:41.409Z",
"dateReserved": "2026-05-07T19:20:44.691Z",
"dateUpdated": "2026-07-09T22:03:41.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55420 (GCVE-0-2026-55420)
Vulnerability from nvd – Published: 2026-07-09 17:54 – Updated: 2026-07-09 17:54
VLAI
EPSS
VEX
Title
Discourse: Remote code execution via pdf uploads
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
7.5 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/ca5… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:54:07.940Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-7wq5-jgww-5rw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-7wq5-jgww-5rw3"
},
{
"name": "https://github.com/discourse/discourse/commit/ca5a7e06167561928556afa2f237d67e459c6914",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/ca5a7e06167561928556afa2f237d67e459c6914"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-7wq5-jgww-5rw3",
"discovery": "UNKNOWN"
},
"title": "Discourse: Remote code execution via pdf uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55420",
"datePublished": "2026-07-09T17:54:07.940Z",
"dateReserved": "2026-06-16T21:48:43.125Z",
"dateUpdated": "2026-07-09T17:54:07.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47264 (GCVE-0-2026-47264)
Vulnerability from nvd – Published: 2026-06-12 20:26 – Updated: 2026-06-13 03:31
VLAI
EPSS
VEX
Title
Discourse: Don't leak restricted tag group names via tag info
Summary
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering against the requesting user's visibility. With SiteSetting.tags_listed_by_group enabled, anonymous and unprivileged users hitting TagsController#info (which is exempt from requires_login) could read the names of tag groups restricted to specific user groups or non-visible categories. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T03:30:59.764046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T03:31:13.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.4"
},
{
"status": "affected",
"version": "\u003e= 2026.3.0-latest, \u003c 2026.3.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering against the requesting user\u0027s visibility. With SiteSetting.tags_listed_by_group enabled, anonymous and unprivileged users hitting TagsController#info (which is exempt from requires_login) could read the names of tag groups restricted to specific user groups or non-visible categories. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:26:38.847Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-4q5q-6hh6-53x2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-4q5q-6hh6-53x2"
}
],
"source": {
"advisory": "GHSA-4q5q-6hh6-53x2",
"discovery": "UNKNOWN"
},
"title": "Discourse: Don\u0027t leak restricted tag group names via tag info"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47264",
"datePublished": "2026-06-12T20:26:38.847Z",
"dateReserved": "2026-05-18T23:03:37.229Z",
"dateUpdated": "2026-06-13T03:31:13.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47263 (GCVE-0-2026-47263)
Vulnerability from nvd – Published: 2026-06-12 20:26 – Updated: 2026-06-15 19:28
VLAI
EPSS
VEX
Title
Discourse: Prevent webhook payload disclosure on event redelivery
Summary
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the MessageBus.publish call for /web_hook_events/<id> in Jobs::RedeliverWebHookEvents did not pass group_ids, leaving the channel readable by any authenticated user (or anonymous user on instances where login_required is disabled). Webhook IDs are sequential integers and trivially enumerable. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T18:46:57.427436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T19:28:02.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.4"
},
{
"status": "affected",
"version": "\u003e= 2026.3.0-latest, \u003c 2026.3.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the MessageBus.publish call for /web_hook_events/\u003cid\u003e in Jobs::RedeliverWebHookEvents did not pass group_ids, leaving the channel readable by any authenticated user (or anonymous user on instances where login_required is disabled). Webhook IDs are sequential integers and trivially enumerable. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:26:19.681Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-wvrm-9v64-m96p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-wvrm-9v64-m96p"
}
],
"source": {
"advisory": "GHSA-wvrm-9v64-m96p",
"discovery": "UNKNOWN"
},
"title": "Discourse: Prevent webhook payload disclosure on event redelivery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47263",
"datePublished": "2026-06-12T20:26:19.681Z",
"dateReserved": "2026-05-18T23:03:37.229Z",
"dateUpdated": "2026-06-15T19:28:02.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45775 (GCVE-0-2026-45775)
Vulnerability from nvd – Published: 2026-06-12 20:25 – Updated: 2026-06-15 13:04
VLAI
EPSS
VEX
Title
Discourse: Cross-site backup access via path traversal in multisite local backups
Summary
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a multisite deployment to access backup files belonging to another site when backups are stored locally. In affected configurations, an admin on Site A could potentially retrieve sensitive backup data from Site B (same host, multisite) by crafting a backup download request with a traversal payload. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T13:04:00.026180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:04:11.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.4"
},
{
"status": "affected",
"version": "\u003e= 2026.3.0-latest, \u003c 2026.3.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a multisite deployment to access backup files belonging to another site when backups are stored locally. In affected configurations, an admin on Site A could potentially retrieve sensitive backup data from Site B (same host, multisite) by crafting a backup download request with a traversal payload. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:25:33.729Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-5j6v-4x6g-9pg5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-5j6v-4x6g-9pg5"
}
],
"source": {
"advisory": "GHSA-5j6v-4x6g-9pg5",
"discovery": "UNKNOWN"
},
"title": "Discourse: Cross-site backup access via path traversal in multisite local backups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45775",
"datePublished": "2026-06-12T20:25:33.729Z",
"dateReserved": "2026-05-13T07:45:21.251Z",
"dateUpdated": "2026-06-15T13:04:11.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45085 (GCVE-0-2026-45085)
Vulnerability from nvd – Published: 2026-06-12 20:25 – Updated: 2026-06-15 18:48
VLAI
EPSS
VEX
Title
Discourse: Chat misauthorization and information disclosure
Summary
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel's current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). This affects sites with the chat plugin enabled; the calendar issue additionally requires discourse-calendar. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T18:45:55.268909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T18:48:50.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.4"
},
{
"status": "affected",
"version": "\u003e= 2026.3.0-latest, \u003c 2026.3.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel\u0027s current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). This affects sites with the chat plugin enabled; the calendar issue additionally requires discourse-calendar. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:25:09.286Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-rw8j-p2gv-q33w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-rw8j-p2gv-q33w"
}
],
"source": {
"advisory": "GHSA-rw8j-p2gv-q33w",
"discovery": "UNKNOWN"
},
"title": "Discourse: Chat misauthorization and information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45085",
"datePublished": "2026-06-12T20:25:09.286Z",
"dateReserved": "2026-05-08T18:45:10.097Z",
"dateUpdated": "2026-06-15T18:48:50.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44786 (GCVE-0-2026-44786)
Vulnerability from nvd – Published: 2026-06-12 20:22 – Updated: 2026-06-15 16:06
VLAI
EPSS
VEX
Title
Discourse: Public chat MessageBus broadcasts are not restricted to chat-eligible users
Summary
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44786",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T16:06:00.523976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T16:06:11.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.4"
},
{
"status": "affected",
"version": "\u003e= 2026.3.0-latest, \u003c 2026.3.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:22:06.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-j7wq-rf5c-8783",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-j7wq-rf5c-8783"
}
],
"source": {
"advisory": "GHSA-j7wq-rf5c-8783",
"discovery": "UNKNOWN"
},
"title": "Discourse: Public chat MessageBus broadcasts are not restricted to chat-eligible users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44786",
"datePublished": "2026-06-12T20:22:06.193Z",
"dateReserved": "2026-05-07T19:20:44.691Z",
"dateUpdated": "2026-06-15T16:06:11.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44785 (GCVE-0-2026-44785)
Vulnerability from nvd – Published: 2026-06-12 20:24 – Updated: 2026-06-15 18:04
VLAI
EPSS
VEX
Title
Discourse: Hidden reply-to post raw can be disclosed through AI explain prompts
Summary
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the AI "explain" helper only checks can_see? on the post being explained, not its reply_to_post, so any authenticated user with access to the AI helper could read the raw contents of a hidden parent post by invoking "Explain" on a reply to it. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T18:04:28.081326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T18:04:36.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.4"
},
{
"status": "affected",
"version": "\u003e= 2026.3.0-latest, \u003c 2026.3.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the AI \"explain\" helper only checks can_see? on the post being explained, not its reply_to_post, so any authenticated user with access to the AI helper could read the raw contents of a hidden parent post by invoking \"Explain\" on a reply to it. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:24:39.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-7h76-fwxc-j586",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-7h76-fwxc-j586"
}
],
"source": {
"advisory": "GHSA-7h76-fwxc-j586",
"discovery": "UNKNOWN"
},
"title": "Discourse: Hidden reply-to post raw can be disclosed through AI explain prompts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44785",
"datePublished": "2026-06-12T20:24:39.155Z",
"dateReserved": "2026-05-07T19:20:44.691Z",
"dateUpdated": "2026-06-15T18:04:36.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44784 (GCVE-0-2026-44784)
Vulnerability from nvd – Published: 2026-06-12 20:23 – Updated: 2026-06-13 03:29
VLAI
EPSS
VEX
Title
Discourse: Non-staff group owners can see email password in plaintext through group history
Summary
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). Affected fields: email_password, email_username, smtp_server, smtp_port, smtp_ssl_mode. The most sensitive item is the SMTP password, which an owner could use to send mail as the group from outside Discourse. This impacts sites that have configured per-group SMTP credentials and granted group ownership to users who should not have access to those credentials. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44784",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T03:29:41.802605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T03:29:52.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.4"
},
{
"status": "affected",
"version": "\u003e= 2026.3.0-latest, \u003c 2026.3.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group\u0027s outgoing email/SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). Affected fields: email_password, email_username, smtp_server, smtp_port, smtp_ssl_mode. The most sensitive item is the SMTP password, which an owner could use to send mail as the group from outside Discourse. This impacts sites that have configured per-group SMTP credentials and granted group ownership to users who should not have access to those credentials. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:23:52.279Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-94c5-j24g-r99f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-94c5-j24g-r99f"
}
],
"source": {
"advisory": "GHSA-94c5-j24g-r99f",
"discovery": "UNKNOWN"
},
"title": "Discourse: Non-staff group owners can see email password in plaintext through group history"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44784",
"datePublished": "2026-06-12T20:23:52.279Z",
"dateReserved": "2026-05-07T19:20:44.691Z",
"dateUpdated": "2026-06-13T03:29:52.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44783 (GCVE-0-2026-44783)
Vulnerability from nvd – Published: 2026-06-12 20:23 – Updated: 2026-06-15 19:28
VLAI
EPSS
VEX
Title
Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts
Summary
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T18:44:52.666793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T19:28:10.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.4"
},
{
"status": "affected",
"version": "\u003e= 2026.3.0-latest, \u003c 2026.3.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic\u0027s staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:23:14.886Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-98ch-mgfj-wqpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-98ch-mgfj-wqpw"
}
],
"source": {
"advisory": "GHSA-98ch-mgfj-wqpw",
"discovery": "UNKNOWN"
},
"title": "Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44783",
"datePublished": "2026-06-12T20:23:14.886Z",
"dateReserved": "2026-05-07T19:20:44.690Z",
"dateUpdated": "2026-06-15T19:28:10.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45780 (GCVE-0-2026-45780)
Vulnerability from cvelistv5 – Published: 2026-07-09 22:08 – Updated: 2026-07-09 22:08
VLAI
EPSS
VEX
Title
Discourse: Private event sample invitees are serialized to non-invited event viewers
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/379… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/4d4… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/645… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/7de… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:08:52.125Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7"
},
{
"name": "https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1"
},
{
"name": "https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586"
},
{
"name": "https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023"
},
{
"name": "https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-22v7-6wgj-g9f7",
"discovery": "UNKNOWN"
},
"title": "Discourse: Private event sample invitees are serialized to non-invited event viewers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45780",
"datePublished": "2026-07-09T22:08:52.125Z",
"dateReserved": "2026-05-13T07:45:21.252Z",
"dateUpdated": "2026-07-09T22:08:52.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53963 (GCVE-0-2026-53963)
Vulnerability from cvelistv5 – Published: 2026-07-09 22:05 – Updated: 2026-07-09 22:05
VLAI
EPSS
VEX
Title
Discourse: Stored-XSS in 2FA delete confirmation modal
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/40d… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/529… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/d92… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/dae… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:05:46.329Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-wg5x-7f23-m3r5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-wg5x-7f23-m3r5"
},
{
"name": "https://github.com/discourse/discourse/commit/40de62cddadc65c328a1028ab999f3fa94adbfed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/40de62cddadc65c328a1028ab999f3fa94adbfed"
},
{
"name": "https://github.com/discourse/discourse/commit/529e17d4d570a48972e7cf64720e5dd1fdf23ca8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/529e17d4d570a48972e7cf64720e5dd1fdf23ca8"
},
{
"name": "https://github.com/discourse/discourse/commit/d92973e51a46cf6dd20c71e6068e6769b67eea5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/d92973e51a46cf6dd20c71e6068e6769b67eea5b"
},
{
"name": "https://github.com/discourse/discourse/commit/daea5214d833eacbdd3b1a78d99eb14e9cabd915",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/daea5214d833eacbdd3b1a78d99eb14e9cabd915"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-wg5x-7f23-m3r5",
"discovery": "UNKNOWN"
},
"title": "Discourse: Stored-XSS in 2FA delete confirmation modal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53963",
"datePublished": "2026-07-09T22:05:46.329Z",
"dateReserved": "2026-06-11T15:50:01.282Z",
"dateUpdated": "2026-07-09T22:05:46.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59828 (GCVE-0-2026-59828)
Vulnerability from cvelistv5 – Published: 2026-07-09 22:04 – Updated: 2026-07-10 14:17
VLAI
EPSS
VEX
Title
Discourse: Hidden post revisions leak through adjacent visible diffs
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSerializer. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/1f2… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/8b7… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/8d3… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/d58… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:17:36.503953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:17:45.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSerializer. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:04:50.777Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-q456-4f8q-42vx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-q456-4f8q-42vx"
},
{
"name": "https://github.com/discourse/discourse/commit/1f26c1163ce87a2abbd1d01780ab1b5fb16e75f6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1f26c1163ce87a2abbd1d01780ab1b5fb16e75f6"
},
{
"name": "https://github.com/discourse/discourse/commit/8b773332b0f937dfcd894ed56d56fc5a81578d9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/8b773332b0f937dfcd894ed56d56fc5a81578d9d"
},
{
"name": "https://github.com/discourse/discourse/commit/8d36da1b68c906592abde3f2e94d505cdf097435",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/8d36da1b68c906592abde3f2e94d505cdf097435"
},
{
"name": "https://github.com/discourse/discourse/commit/d58988d46bb1019bfa8b8330ae81a1a134e08511",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/d58988d46bb1019bfa8b8330ae81a1a134e08511"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-q456-4f8q-42vx",
"discovery": "UNKNOWN"
},
"title": "Discourse: Hidden post revisions leak through adjacent visible diffs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59828",
"datePublished": "2026-07-09T22:04:50.777Z",
"dateReserved": "2026-07-07T15:00:50.979Z",
"dateUpdated": "2026-07-10T14:17:45.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44787 (GCVE-0-2026-44787)
Vulnerability from cvelistv5 – Published: 2026-07-09 22:03 – Updated: 2026-07-09 22:03
VLAI
EPSS
VEX
Title
Discourse: Signup-time primary_group_id assignment grants whisperer access
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
8.2 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/012… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/0f5… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/541… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/6fc… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:03:41.409Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-vmwq-jvxx-jwfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-vmwq-jvxx-jwfx"
},
{
"name": "https://github.com/discourse/discourse/commit/012796ac28c85b30aa233c5ef042fc66efff8126",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/012796ac28c85b30aa233c5ef042fc66efff8126"
},
{
"name": "https://github.com/discourse/discourse/commit/0f50a07a6ef4b33f3f826ce6d7bf6d7bd16912d8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/0f50a07a6ef4b33f3f826ce6d7bf6d7bd16912d8"
},
{
"name": "https://github.com/discourse/discourse/commit/5418e3027dba109e27a4796463686d61e190ac29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/5418e3027dba109e27a4796463686d61e190ac29"
},
{
"name": "https://github.com/discourse/discourse/commit/6fc7e6cf04422fc3f9d1c99134803071e983ff0a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6fc7e6cf04422fc3f9d1c99134803071e983ff0a"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-vmwq-jvxx-jwfx",
"discovery": "UNKNOWN"
},
"title": "Discourse: Signup-time primary_group_id assignment grants whisperer access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44787",
"datePublished": "2026-07-09T22:03:41.409Z",
"dateReserved": "2026-05-07T19:20:44.691Z",
"dateUpdated": "2026-07-09T22:03:41.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53962 (GCVE-0-2026-53962)
Vulnerability from cvelistv5 – Published: 2026-07-09 22:02 – Updated: 2026-07-09 22:02
VLAI
EPSS
VEX
Title
Discourse: Insufficient SVG sanitization logic
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/3ee… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/810… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/92a… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/b8c… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:02:27.430Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-jmcf-3367-78vv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-jmcf-3367-78vv"
},
{
"name": "https://github.com/discourse/discourse/commit/3ee8343cd7f00d59d8513bee0a12e02d50bfc358",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/3ee8343cd7f00d59d8513bee0a12e02d50bfc358"
},
{
"name": "https://github.com/discourse/discourse/commit/810c2715799fd08b06fd6ffc664d9562fe9ea6ff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/810c2715799fd08b06fd6ffc664d9562fe9ea6ff"
},
{
"name": "https://github.com/discourse/discourse/commit/92a699d89b84685b6fdd63cd0d0e371793c69dad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/92a699d89b84685b6fdd63cd0d0e371793c69dad"
},
{
"name": "https://github.com/discourse/discourse/commit/b8ceb49f4ba52257be30eb3c2ce51a5bf03be5fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/b8ceb49f4ba52257be30eb3c2ce51a5bf03be5fe"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-jmcf-3367-78vv",
"discovery": "UNKNOWN"
},
"title": "Discourse: Insufficient SVG sanitization logic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53962",
"datePublished": "2026-07-09T22:02:27.430Z",
"dateReserved": "2026-06-11T15:50:01.282Z",
"dateUpdated": "2026-07-09T22:02:27.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55424 (GCVE-0-2026-55424)
Vulnerability from cvelistv5 – Published: 2026-07-09 22:01 – Updated: 2026-07-10 14:40
VLAI
EPSS
VEX
Title
Discourse: Topic featured link susceptible to stored XSS
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/1bc… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/667… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/682… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/c9b… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:39:57.512653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:40:09.311Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic \"featured link\" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:01:22.249Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-695w-7fv8-mxg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-695w-7fv8-mxg3"
},
{
"name": "https://github.com/discourse/discourse/commit/1bce8881e4253d9bbab56f011a12ef899b926b59",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1bce8881e4253d9bbab56f011a12ef899b926b59"
},
{
"name": "https://github.com/discourse/discourse/commit/6679d9a5083488bae10c2adbb345c481c583242c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6679d9a5083488bae10c2adbb345c481c583242c"
},
{
"name": "https://github.com/discourse/discourse/commit/6828aee9b15c2655d63b515ac919830bd540ff83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6828aee9b15c2655d63b515ac919830bd540ff83"
},
{
"name": "https://github.com/discourse/discourse/commit/c9b9405f5bd0bf0269e505e28e3aad388d7657c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/c9b9405f5bd0bf0269e505e28e3aad388d7657c5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-695w-7fv8-mxg3",
"discovery": "UNKNOWN"
},
"title": "Discourse: Topic featured link susceptible to stored XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55424",
"datePublished": "2026-07-09T22:01:22.249Z",
"dateReserved": "2026-06-16T21:48:43.126Z",
"dateUpdated": "2026-07-10T14:40:09.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45788 (GCVE-0-2026-45788)
Vulnerability from cvelistv5 – Published: 2026-07-09 21:59 – Updated: 2026-07-10 14:39
VLAI
EPSS
VEX
Title
Discourse: Secure uploads exposed by hotlinked image copying
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload URL and the secure_uploads site setting was enabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/580… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/8b4… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/eff… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/fa7… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:39:07.478798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:39:14.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload URL and the secure_uploads site setting was enabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:59:27.495Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-3876-w96v-8v38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-3876-w96v-8v38"
},
{
"name": "https://github.com/discourse/discourse/commit/5807c426880eadf248006e851604fc9284327ce5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/5807c426880eadf248006e851604fc9284327ce5"
},
{
"name": "https://github.com/discourse/discourse/commit/8b4a959b251a856a9c911fb9f2ac34fbc31a7471",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/8b4a959b251a856a9c911fb9f2ac34fbc31a7471"
},
{
"name": "https://github.com/discourse/discourse/commit/eff53af26367ae0dcb3a426954d233e8c7449f95",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/eff53af26367ae0dcb3a426954d233e8c7449f95"
},
{
"name": "https://github.com/discourse/discourse/commit/fa74e0dec7341a858ab83a1977fa52629bced1aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/fa74e0dec7341a858ab83a1977fa52629bced1aa"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-3876-w96v-8v38",
"discovery": "UNKNOWN"
},
"title": "Discourse: Secure uploads exposed by hotlinked image copying"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45788",
"datePublished": "2026-07-09T21:59:27.495Z",
"dateReserved": "2026-05-13T08:19:32.602Z",
"dateUpdated": "2026-07-10T14:39:14.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49256 (GCVE-0-2026-49256)
Vulnerability from cvelistv5 – Published: 2026-07-09 21:56 – Updated: 2026-07-10 13:39
VLAI
EPSS
VEX
Title
Discourse: Hidden tag names leaked via category serializers
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T13:39:15.102132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T13:39:27.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:56:40.444Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-mwp7-572g-6qpx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-mwp7-572g-6qpx"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-mwp7-572g-6qpx",
"discovery": "UNKNOWN"
},
"title": "Discourse: Hidden tag names leaked via category serializers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49256",
"datePublished": "2026-07-09T21:56:40.444Z",
"dateReserved": "2026-05-28T14:33:01.179Z",
"dateUpdated": "2026-07-10T13:39:27.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46413 (GCVE-0-2026-46413)
Vulnerability from cvelistv5 – Published: 2026-07-09 21:55 – Updated: 2026-07-10 14:32
VLAI
EPSS
VEX
Title
Discourse: Regular users can route multipart uploads into the admin backup store
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/1f1… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/7dd… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/a53… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/aba… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:32:30.407572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:32:39.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:55:45.096Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7"
},
{
"name": "https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0"
},
{
"name": "https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40"
},
{
"name": "https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d"
},
{
"name": "https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-3mvf-q9rg-w6m7",
"discovery": "UNKNOWN"
},
"title": "Discourse: Regular users can route multipart uploads into the admin backup store"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46413",
"datePublished": "2026-07-09T21:55:45.096Z",
"dateReserved": "2026-05-13T21:04:10.933Z",
"dateUpdated": "2026-07-10T14:32:39.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53961 (GCVE-0-2026-53961)
Vulnerability from cvelistv5 – Published: 2026-07-09 21:48 – Updated: 2026-07-10 13:44
VLAI
EPSS
VEX
Title
Discourse: Forged AWS SNS bounce notifications can disable a targeted user's email (missing TopicArn binding)
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/3a3… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/61f… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/958… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/aea… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T13:44:24.781167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T13:44:30.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T21:49:00.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-8f9m-v436-wr3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-8f9m-v436-wr3x"
},
{
"name": "https://github.com/discourse/discourse/commit/3a3d315a85ef3c6aabfc7e7bb38702059784f06b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/3a3d315a85ef3c6aabfc7e7bb38702059784f06b"
},
{
"name": "https://github.com/discourse/discourse/commit/61f12e13aa1b760f81d5ff60f12e3a7e77434b94",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/61f12e13aa1b760f81d5ff60f12e3a7e77434b94"
},
{
"name": "https://github.com/discourse/discourse/commit/958f0cd831d65a49ec75f05343ca2c167679f0ea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/958f0cd831d65a49ec75f05343ca2c167679f0ea"
},
{
"name": "https://github.com/discourse/discourse/commit/aea35190791261bab258ebab05da279e78cdd0e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/aea35190791261bab258ebab05da279e78cdd0e6"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-8f9m-v436-wr3x",
"discovery": "UNKNOWN"
},
"title": "Discourse: Forged AWS SNS bounce notifications can disable a targeted user\u0027s email (missing TopicArn binding)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53961",
"datePublished": "2026-07-09T21:48:11.449Z",
"dateReserved": "2026-06-11T15:50:01.282Z",
"dateUpdated": "2026-07-10T13:44:30.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55420 (GCVE-0-2026-55420)
Vulnerability from cvelistv5 – Published: 2026-07-09 17:54 – Updated: 2026-07-09 17:54
VLAI
EPSS
VEX
Title
Discourse: Remote code execution via pdf uploads
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity
7.5 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/ca5… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
| https://github.com/discourse/discourse/releases/t… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
},
{
"status": "affected",
"version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:54:07.940Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-7wq5-jgww-5rw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-7wq5-jgww-5rw3"
},
{
"name": "https://github.com/discourse/discourse/commit/ca5a7e06167561928556afa2f237d67e459c6914",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/ca5a7e06167561928556afa2f237d67e459c6914"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
},
{
"name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
}
],
"source": {
"advisory": "GHSA-7wq5-jgww-5rw3",
"discovery": "UNKNOWN"
},
"title": "Discourse: Remote code execution via pdf uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55420",
"datePublished": "2026-07-09T17:54:07.940Z",
"dateReserved": "2026-06-16T21:48:43.125Z",
"dateUpdated": "2026-07-09T17:54:07.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}