Discourse 3.3.0 Beta 2 Beta Branch
Approved changes feed: RSS · Atom
cpe:2.3:a:discourse:discourse:3.3.0:beta2:*:*:beta:*:*:*
part: a version: 3.3.0 update: beta2
| Vendor | Discourse (2d3c125b-857a-5933-b846-ed7f9d5e0225) |
|---|---|
| Product | Discourse (4347364d-ae10-5ab6-a9ec-6e7dcaf78dd8) |
| Edition | * |
| Language | * |
| Software edition | beta |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/discourse/discourse |
purl2cpe | 2026-06-01 10:13:03.599945 |
pkg:rpm/opensuse/discourse |
purl2cpe | 2026-06-01 10:13:03.599947 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-32376 |
vulnerable | 2026-06-03 15:00:40.697492 |
Discourse DM limits aren’t always properly enforced
Discourse is an open-source discussion platform. Prior to versions 3.4.3 on the stable branch and 3.5.0.beta3 on the beta branch, the users limit for a DM can be bypassed, thus giving the ability to potentially create a DM with every user from a site in it. This issue has been patched in stable version 3.4.3 and beta version 3.5.0.beta3.
Published: 2025-04-30T14:55:21.473Z
Updated: 2025-04-30T15:08:52.268Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39320 |
vulnerable | 2026-06-03 14:56:20.554282 |
Discourse allows iframe injection though default site setting
MEDIUM (6.1)
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
Published: 2024-07-30T14:33:48.589Z
Updated: 2024-08-02T04:19:20.670Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-38360 |
vulnerable | 2026-06-03 14:56:16.866844 |
Denial of service via Watched Words in Discourse
MEDIUM (4.9)
Discourse is an open source platform for community discussion. In affected versions by creating replacement words with an almost unlimited number of characters, a moderator can reduce the availability of a Discourse instance. This issue has been addressed in stable version 3.2.3 and in current betas. Users are advised to upgrade. Users unable to upgrade may manually remove the long watched words either via SQL or Rails console.
Published: 2024-07-15T19:43:04.811Z
Updated: 2024-08-02T04:04:25.127Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-37299 |
vulnerable | 2026-06-03 14:56:06.264423 |
Discourse vulnerable to DoS via Tag Group
MEDIUM (4.9)
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, crafting requests to submit very long tag group names can reduce the availability of a Discourse instance. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
Published: 2024-07-30T14:22:36.367Z
Updated: 2024-08-02T03:50:55.878Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-37165 |
vulnerable | 2026-06-03 14:56:05.928702 |
Discourse has an XSS via Onebox system
MEDIUM (6.3)
Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.
Published: 2024-07-30T14:10:24.804Z
Updated: 2024-08-02T03:50:55.188Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-37157 |
vulnerable | 2026-06-03 14:56:05.914293 |
Discourse vulnerable to Server-Side Request Forgery via FastImage
MEDIUM (6.4)
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available.
Published: 2024-07-03T19:13:42.868Z
Updated: 2024-08-02T03:50:55.878Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-36122 |
vulnerable | 2026-06-03 14:56:03.595474 |
Discourse doesn't limit reviewable user serializer payload
LOW (2.4)
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.
Published: 2024-07-03T19:10:45.955Z
Updated: 2024-08-02T03:30:13.046Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-36113 |
vulnerable | 2026-06-03 14:56:03.578227 |
Discourse missing authorization checks for suspending admins/moderators
MEDIUM (4.9)
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.
Published: 2024-07-03T19:07:27.133Z
Updated: 2024-08-02T03:30:13.048Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-35234 |
vulnerable | 2026-06-03 14:55:55.741423 |
Discourse vulnerable to stored-dom XSS via Facebook Oneboxes
MEDIUM (4.2)
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum.
Published: 2024-07-03T18:23:10.179Z
Updated: 2024-08-02T03:07:46.903Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.