Discourse 3.5.0 Beta 4 Beta Branch
Approved changes feed: RSS · Atom
cpe:2.3:a:discourse:discourse:3.5.0:beta4:*:*:beta:*:*:*
part: a version: 3.5.0 update: beta4
| Vendor | Discourse (2d3c125b-857a-5933-b846-ed7f9d5e0225) |
|---|---|
| Product | Discourse (4347364d-ae10-5ab6-a9ec-6e7dcaf78dd8) |
| Edition | * |
| Language | * |
| Software edition | beta |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/discourse/discourse |
purl2cpe | 2026-06-01 10:13:03.632769 |
pkg:rpm/opensuse/discourse |
purl2cpe | 2026-06-01 10:13:03.632770 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-54411 |
vulnerable | 2026-06-03 15:04:55.981809 |
Discourse welcome banner user name XSS
Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate
any users for the time being. This vulnerability is fixed in 3.5.0.beta8.
Published: 2025-08-19T16:41:40.362Z
Updated: 2025-08-19T19:17:28.269Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-53102 |
vulnerable | 2026-06-03 15:03:53.366183 |
Discourse's WebAuthn challenge isn't cleared from user session after authentication
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
Published: 2025-07-29T19:24:06.076Z
Updated: 2025-07-29T19:33:43.304Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-48954 |
vulnerable | 2026-06-03 15:01:43.804325 |
Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow
HIGH (8.1)
Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.
Published: 2025-06-25T14:02:46.515Z
Updated: 2025-06-25T14:19:13.945Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-48877 |
vulnerable | 2026-06-03 15:01:43.661814 |
Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.
Published: 2025-06-09T12:36:29.651Z
Updated: 2025-06-09T15:17:08.586Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-48062 |
vulnerable | 2026-06-03 15:01:34.053142 |
Discourse vulnerable to HTML injection when inviting to topic via email
HIGH (7.1)
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`.
Published: 2025-06-09T12:33:57.870Z
Updated: 2025-06-09T13:00:15.272Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-48053 |
vulnerable | 2026-06-03 15:01:34.040390 |
Discourse vulnerable to DoS via large URL payload in PM to a bot
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. No known workarounds are available.
Published: 2025-06-09T12:30:33.626Z
Updated: 2025-06-09T13:01:18.409Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.