Discourse Discourse Open Source Discussion Platform

  1. Vendors
  2. Discourse

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Discourse product.

RSS Feeds for Discourse security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Discourse products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Discourse Sorted by Most Security Vulnerabilities since 2018

Discourse159 vulnerabilities

Discourse Calendar4 vulnerabilities

Discourse Calendar4 vulnerabilities

Discourse Chat3 vulnerabilities

Discourse Reactions2 vulnerabilities

Discourse Jira1 vulnerability

Discourse Reactions1 vulnerability

Discourse Rails Multisite1 vulnerability

Discourse Patreon1 vulnerability

Discourse Microsoft Authentication1 vulnerability

Discourse Message Bus1 vulnerability

Discourse Mermaid1 vulnerability

Discourse Group Membership Ip Blocks1 vulnerability

Discourse Yearly Review1 vulnerability

Discourse Ai1 vulnerability

Discourse Footnote1 vulnerability

Discourse Encrypt1 vulnerability

Discourse Bbcode1 vulnerability

Discourse Discotoc1 vulnerability

Discourse Assign1 vulnerability

By the Year

In 2025 there have been 24 vulnerabilities in Discourse with an average score of 4.0 out of ten. Last year, in 2024 Discourse had 34 security vulnerabilities published. Right now, Discourse is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 1.65




Year Vulnerabilities Average Score
2025 24 4.03
2024 34 5.68
2023 64 5.67
2022 38 5.70
2021 19 5.96
2020 0 0.00
2019 3 6.37

It may take a day or so for new Discourse vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Discourse Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-61598 Oct 28, 2025
Discourse<3.6.2: Missing CacheControl Header Causing Cache Poisoning Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2.
Discourse
CVE-2025-59337 Oct 01, 2025
Discourse <3.5.1 RCE via meta-command exec in backup restore Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixed in version 3.5.1.
Discourse
CVE-2025-58055 Oct 01, 2025
Discourse AI Suggestion Endpoints Info Disclosure (3.5.0) Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic Title, Category, and Tags allowed authenticated users to extract information about topics that they werent authorized to access. By modifying the topic_id value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI models responses then disclosed information that the authenticated user couldnt normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings.
Discourse
CVE-2025-58054 Oct 01, 2025
Discourse XSS via chat titles in v3.5.0 and earlier (fixed 3.5.1) Discourse is an open-source community discussion platform. Versions 3.5.0 and below are vulnerable to XSS attacks through parsing and rendering of chat channel titles and chat thread titles via the quote message functionality when using the rich text editor. This issue is fixed in version 3.5.1.
Discourse
CVE-2025-54411 Aug 19, 2025
Discourse XSS in welcome_banner.header.logged_in_members before 3.5.0.beta8 Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate any users for the time being. This vulnerability is fixed in 3.5.0.beta8.
Discourse
CVE-2025-53102 Jul 29, 2025
Discourse Unclear WebAuthn Challenge before 3.4.7/3.5.0.beta.8 Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the users session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
Discourse
CVE-2025-49845 Jun 25, 2025
Discourse 3.4.x/3.5.0 < beta8: Whisper visibility bypass Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.
Discourse
CVE-2025-48954 Jun 25, 2025
Discourse XSS via Social Logins (pre-3.5.0.beta6, CSP off) Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.
Discourse
CVE-2025-48053 Jun 09, 2025
Discourse v3.4.3 and earlier: bot user PM URL causes availability loss Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. No known workarounds are available.
Discourse
CVE-2025-48062 Jun 09, 2025
Discourse email invite HTML injection: <3.4.4, 3.5.0.beta5, 3.5.0.beta6-dev Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`.
Discourse
CVE-2025-48877 Jun 09, 2025
Discourse <3.4.4 allowed_iframes Codepen auto-exec arbitrary JS Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.
Discourse
CVE-2025-46813 May 05, 2025
Discourse V3.5 Data Leakage in Homepage on Login-Required Sites Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are unaffected. Private content on an instance's homepage could be visible to unauthenticated users on login-required sites. Versions of 3.5.0.beta4 after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b are not vulnerable to the issue. No workarounds are available. Sites must upgrade to a non-vulnerable version of Discourse.
Discourse
CVE-2025-32376 Apr 30, 2025
Discourse DM Limit Bypass in Stable 3.4.3 & Beta 3.5.0.beta3 (CVE-2025-32376) Discourse is an open-source discussion platform. Prior to versions 3.4.3 on the stable branch and 3.5.0.beta3 on the beta branch, the users limit for a DM can be bypassed, thus giving the ability to potentially create a DM with every user from a site in it. This issue has been patched in stable version 3.4.3 and beta version 3.5.0.beta3.
Discourse
CVE-2025-24972 Mar 26, 2025
Discourse 3.3.4/3.4.0.beta5 DM Exploit: Users Added to Chats when DM Disabled Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions `3.3.4` and `3.4.0.beta5` contain a patch for the issue. A workaround is available. If a user disables chat in their preferences then they cannot be added to new group chats.
Discourse
CVE-2025-24808 Mar 26, 2025
Discourse 3.3.4 Race Condition on add_users_to_channel Allows Group DM Limit Bypass Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, someone who is about to reach the limit of users in a group DM may send requests to add new users in parallel. The requests might all go through ignoring the limit due to a race condition. The patch in versions `3.3.4` and `3.4.0.beta5` uses the `lock` step in service to wrap part of the `add_users_to_channel` service inside a distributed lock/mutex in order to avoid the race condition.
Discourse
CVE-2024-53266 Feb 04, 2025
Discourse XSS via Profile Activity Streams when CSP disabled Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled.
Discourse
CVE-2024-53851 Feb 04, 2025
Discourse Authenticated Inline Onebox URL Count Abuse DoS Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting.
Discourse
CVE-2024-53994 Feb 04, 2025
Discourse Chat Even When Disabled Still Accessible (CVE-2024-53994) Discourse is an open source platform for community discussion. In affected versions users who disable chat in preferences could still be reachable in some cases. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable the chat plugin within site settings.
Discourse
CVE-2024-55948 Feb 04, 2025
Discourse Anonymous Cache Poisoning via XHR Discourse is an open source platform for community discussion. In affected versions an attacker can make craft an XHR request to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Discourse
CVE-2024-56197 Feb 04, 2025
Discourse PM Tag Metadata Leak via Group Permissions Discourse is an open source platform for community discussion. PM titles and metadata can be read by other users when the "PM tags allowed for groups" option is enabled, the other user is a member of a group added to this option, and the PM has been tagged. This issue has been patched in the latest `stable`, `beta` and `tests-passed` versions of Discourse. Users are advised to upgrade. Users unable to upgrade should remove all groups from the the "PM tags allowed for groups" option.
Discourse
CVE-2024-56328 Feb 04, 2025
Discourse JS injection via Onebox URL (CVE-2024-56328) Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP, disable inline Oneboxes globally, or allow specific domains for Oneboxing.
Discourse
CVE-2025-22601 Feb 04, 2025
Discourse Username Change via activate-account Link (CVE202522601) Discourse is an open source platform for community discussion. In affected versions an attacker can trick a target user to make changes to their own username via carefully crafted link using the `activate-account` route. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Discourse
CVE-2025-22602 Feb 04, 2025
Discourse CVE-2025-22602: Arbitrary JS via Malicious Video Placeholder (No CSP) Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP.
Discourse
CVE-2025-23023 Feb 04, 2025
Discourse Anonymous Cache Poisoning via Header Manipulation Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade may disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Discourse
CVE-2024-49765 Dec 19, 2024
Discourse Connect Local Login Bypass Vulnerability Discourse is an open source platform for community discussion. Sites that are using discourse connect but still have local logins enabled could allow attackers to bypass discourse connect to create accounts and login. This problem is patched in the latest version of Discourse. Users unable to upgrade who are using discourse connect may disable all other login methods as a workaround.
Discourse
CVE-2024-53991 Dec 19, 2024
Discourse Local File Disclosure Vulnerability in FileStore::LocalStore Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use `FileStore::LocalStore` which means uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, the attacker can trick nginx into sending the Discourse backup file with a well crafted request. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade can either 1. Download all local backups on to another storage device, disable the `enable_backups` site setting and delete all backups until the site has been upgraded to pull in the fix. Or 2. Change the `backup_location` site setting to `s3` so that backups are stored and downloaded directly from S3.
Discourse
CVE-2024-47773 Oct 08, 2024
Discourse XHR Cache Poisoning for Anonymous Visitors Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Discourse
CVE-2024-43789 Oct 07, 2024
Discourse: DoS via Mass Post Reply Fetch Discourse is an open source platform for community discussion. A user can create a post with many replies, and then attempt to fetch them all at once. This can potentially reduce the availability of a Discourse instance. This problem has been patched in the latest version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.
Discourse
CVE-2024-45051 Oct 07, 2024
Email address bypass of domain restrictions in Discourse Discourse is an open source platform for community discussion. A maliciously crafted email address could allow an attacker to bypass domain-based restrictions and gain access to private sites, categories and/or groups. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.
Discourse
CVE-2024-45297 Oct 07, 2024
Discourse Hidden Tag Disclosure: Insecure Tag Visibility Vulnerability Discourse is an open source platform for community discussion. Users can see topics with a hidden tag if they know the label/name of that tag. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.
Discourse
CVE-2024-47772 Oct 07, 2024
Discourse XSS via crafted chat msg when CSP disabled Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.
Discourse
CVE-2024-45303 Sep 12, 2024
Discourse Calendar Plugin XSS via Dynamic Event Names, fixed in 0.5 Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourses default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin.
Calendar
CVE-2024-21658 Aug 30, 2024
Discourse Calendar plugin: Region length overflow allows DoS bandwidth & disk discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.
Discourse Calendar
Discourse
CVE-2024-39320 Jul 30, 2024
Discourse iframe injection before 3.2.5/3.3.0.beta5 Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
Discourse
CVE-2024-37299 Jul 30, 2024
DoS via Long Tag Group Names in Discourse <3.2.5/3.3.0.beta5 Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, crafting requests to submit very long tag group names can reduce the availability of a Discourse instance. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
Discourse
CVE-2024-37165 Jul 30, 2024
Discourse XSS via unsanitized Onebox before 3.2.3/3.3.0beta3 Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.
Discourse
CVE-2024-38360 Jul 15, 2024
Discourse DoS via Unlimited Replacement Words (<=3.2.2) Discourse is an open source platform for community discussion. In affected versions by creating replacement words with an almost unlimited number of characters, a moderator can reduce the availability of a Discourse instance. This issue has been addressed in stable version 3.2.3 and in current betas. Users are advised to upgrade. Users unable to upgrade may manually remove the long watched words either via SQL or Rails console.
Discourse
CVE-2024-37157 Jul 03, 2024
Discourse FastImage Library Redirection to Internal IP (before 3.2.3/3.3.0.beta4) Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available.
Discourse
CVE-2024-36122 Jul 03, 2024
CVE-2024-36122: Discourse <3.2.3 review queue leaks email addresses Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.
Discourse
CVE-2024-36113 Jul 03, 2024
Discourse Rogue Staff Suspend Vulnerability before 3.2.3 Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.
Discourse
CVE-2024-35234 Jul 03, 2024
Discourse JS Injection via Meta Tags before 3.2.3/3.3.0.beta3 (CSP Disabled) Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum.
Discourse
CVE-2024-35227 Jul 03, 2024
DoS via Oneboxing in Discourse <3.2.3, 3.3.0.beta3 Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, Oneboxing against a carefully crafted malicious URL can reduce the availability of a Discourse instance. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. There are no known workarounds available for this vulnerability.
Discourse
CVE-2024-31219 Apr 15, 2024
Discourse Reactions Plugin Exposes Whisper Content on /u/:usr activity Discourse-reactions is a plugin that allows user to add their reactions to the post. When whispers are enabled on a site via `whispers_allowed_groups` and reactions are made on whispers on public topics, the contents of the whisper and the reaction data are shown on the `/u/:username/activity/reactions` endpoint.
Discourse
CVE-2024-24827 Mar 15, 2024
Discourse DoS via Unrestricted /uploads Endpoint Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to site as various site settings like `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` will determine the amount of resources used when creating an upload. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should reduce `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` as smaller uploads require less resources to process. Alternatively, `client_max_body_size` can be reduced in Nginx to prevent large uploads from reaching the server.
Discourse
CVE-2024-27100 Mar 15, 2024
Discourse Param Over-Size Vulnerability Enables DoS Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Discourse
CVE-2024-28242 Mar 15, 2024
Discourse: Secret Category Disclosure via Backgrounds Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should temporarily remove category backgrounds.
Discourse
CVE-2024-24748 Mar 15, 2024
Discourse subcategory enumeration via hidden category leak Discourse is an open source platform for community discussion. In affected versions an attacker can learn that a secret subcategory exists under a public category which has no public subcategories. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Discourse
CVE-2024-27085 Mar 15, 2024
CVE-2024-27085: Discourse Invite Parameter Injection Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable invites or restrict access to them using the `invite allowed groups` site setting.
Discourse
CVE-2024-24817 Feb 22, 2024
Discourse Calendar: Anonymous Invitee Disclosure Pre-v0.4 Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they're not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind `login_required` will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics.
Calendar
Discourse Calendar
CVE-2024-23654 Feb 21, 2024
Discourse-AI plugin SSRF via admin-initiated AI interactions discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin.
Ai
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.