Discourse 3.6.0 Beta 1 Beta Branch
Approved changes feed: RSS · Atom
cpe:2.3:a:discourse:discourse:3.6.0:beta1:*:*:beta:*:*:*
part: a version: 3.6.0 update: beta1
| Vendor | Discourse (2d3c125b-857a-5933-b846-ed7f9d5e0225) |
|---|---|
| Product | Discourse (4347364d-ae10-5ab6-a9ec-6e7dcaf78dd8) |
| Edition | * |
| Language | * |
| Software edition | beta |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/discourse/discourse |
purl2cpe | 2026-06-01 10:13:03.645710 |
pkg:rpm/opensuse/discourse |
purl2cpe | 2026-06-01 10:13:03.645711 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-61598 |
vulnerable | 2026-06-03 15:07:56.734598 |
Discourse is missing Cache-Control response header on error responses
Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2.
Published: 2025-10-28T20:38:54.753Z
Updated: 2025-10-29T13:43:00.335Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-59337 |
vulnerable | 2026-06-03 15:06:24.924121 |
Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixed in version 3.5.1.
Published: 2025-10-01T20:41:45.833Z
Updated: 2025-10-02T15:56:54.652Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-58055 |
vulnerable | 2026-06-03 15:06:20.487678 |
Discourse AI Suggestions Contain Insecure Direct Object Reference
MEDIUM (4.3)
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings.
Published: 2025-10-01T18:48:55.853Z
Updated: 2025-10-23T13:20:54.766Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-58054 |
vulnerable | 2026-06-03 15:06:20.486936 |
Discourse is vulnerable to XSS when quoting chat messages
LOW (3.5)
Discourse is an open-source community discussion platform. Versions 3.5.0 and below are vulnerable to XSS attacks through parsing and rendering of chat channel titles and chat thread titles via the quote message functionality when using the rich text editor. This issue is fixed in version 3.5.1.
Published: 2025-10-01T18:42:54.700Z
Updated: 2025-10-01T19:24:29.602Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.