Discourse <3.5.1 RCE via meta-command exec in backup restore
CVE-2025-59337 Published on October 1, 2025
Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixed in version 3.5.1.
Weakness Type
What is a Command Injection Vulnerability?
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVE-2025-59337 has been classified to as a Command Injection vulnerability or weakness.
Products Associated with CVE-2025-59337
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse Version < 3.5.1 is affected by CVE-2025-59337Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.