Discourse 3.5.0 Beta 5 Beta Branch
Approved changes feed: RSS · Atom
cpe:2.3:a:discourse:discourse:3.5.0:beta5:*:*:beta:*:*:*
part: a version: 3.5.0 update: beta5
| Vendor | Discourse (2d3c125b-857a-5933-b846-ed7f9d5e0225) |
|---|---|
| Product | Discourse (4347364d-ae10-5ab6-a9ec-6e7dcaf78dd8) |
| Edition | * |
| Language | * |
| Software edition | beta |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/discourse/discourse |
purl2cpe | 2026-06-01 10:13:03.635581 |
pkg:rpm/opensuse/discourse |
purl2cpe | 2026-06-01 10:13:03.635582 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-54411 |
vulnerable | 2026-06-03 15:04:55.982660 |
Discourse welcome banner user name XSS
Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate
any users for the time being. This vulnerability is fixed in 3.5.0.beta8.
Published: 2025-08-19T16:41:40.362Z
Updated: 2025-08-19T19:17:28.269Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-53102 |
vulnerable | 2026-06-03 15:03:53.366681 |
Discourse's WebAuthn challenge isn't cleared from user session after authentication
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
Published: 2025-07-29T19:24:06.076Z
Updated: 2025-07-29T19:33:43.304Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-48954 |
vulnerable | 2026-06-03 15:01:43.806054 |
Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow
HIGH (8.1)
Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.
Published: 2025-06-25T14:02:46.515Z
Updated: 2025-06-25T14:19:13.945Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.