Approved changes feed: RSS · Atom
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
part: a version: 2026.3.0 update: *
| Vendor | Discourse (2d3c125b-857a-5933-b846-ed7f9d5e0225) |
|---|---|
| Product | Discourse (4347364d-ae10-5ab6-a9ec-6e7dcaf78dd8) |
| Edition | * |
| Language | * |
| Software edition | latest.1 |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/discourse/discourse |
purl2cpe | 2026-06-01 10:13:03.502080 |
pkg:rpm/opensuse/discourse |
purl2cpe | 2026-06-01 10:13:03.502082 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-33415 |
vulnerable | 2026-06-03 15:20:44.789036 |
Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:42:15.870Z
Updated: 2026-04-03T16:21:37.890Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33300 |
vulnerable | 2026-06-03 15:20:44.638537 |
Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:42:00.882Z
Updated: 2026-04-01T18:34:16.767Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33185 |
vulnerable | 2026-06-03 15:20:44.481224 |
Discourse: Group SMTP test endpoint susceptible to SSRF
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:41:44.893Z
Updated: 2026-04-01T13:47:00.577Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33074 |
vulnerable | 2026-06-03 15:20:44.206341 |
Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tier subscription. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:41:32.012Z
Updated: 2026-03-31T18:52:20.144Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33073 |
vulnerable | 2026-06-03 15:20:44.205845 |
discourse-subscriptions plugin leaking stripe API key in multisite environment
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across sites within the same multisite cluster. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:38:59.916Z
Updated: 2026-04-03T16:16:18.969Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32951 |
vulnerable | 2026-06-03 15:20:43.994961 |
Discourse: Authorization bypass in oneboxer via user-controlled category id
MEDIUM (4.3)
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a category_id parameter matching the shared drafts category. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:41:20.559Z
Updated: 2026-04-01T18:33:42.891Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32620 |
vulnerable | 2026-06-03 15:20:43.269487 |
Discourse: Missing post-level authorization allows whisper metadata disclosure
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content was exposed, only metadata about who read the post and when. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:41:03.246Z
Updated: 2026-04-01T13:48:23.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32619 |
vulnerable | 2026-06-03 15:20:43.269026 |
Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic (e.g., removed from a private category group) could still interact with polls in that topic, including voting and toggling poll status. No content was exposed, but users could modify poll state in topics they should no longer have access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:40:41.588Z
Updated: 2026-03-31T18:52:26.060Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32618 |
vulnerable | 2026-06-03 15:20:43.268536 |
Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id
MEDIUM (4.3)
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:40:41.484Z
Updated: 2026-04-03T16:20:00.471Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32615 |
vulnerable | 2026-06-03 15:20:43.263254 |
Discourse: Category group moderators can perform actions on topics in restricted categories without read access
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did not have read access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:40:17.212Z
Updated: 2026-04-01T18:06:54.206Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32607 |
vulnerable | 2026-06-03 15:20:43.254868 |
Discourse: Stored XSS via unescaped assignee name
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabled (defaults to false, requires console access to change), user and group display names are rendered without HTML escaping in several assignment-related UI paths. This allows users with assign permission to inject arbitrary HTML/JavaScript that executes in the browser of any user viewing an affected topic. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:40:05.155Z
Updated: 2026-04-01T13:48:54.473Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32273 |
vulnerable | 2026-06-03 15:20:42.666449 |
Discourse: XSS on category description update via API
MEDIUM (5.4)
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:39:48.771Z
Updated: 2026-03-31T18:52:31.983Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32243 |
vulnerable | 2026-06-03 15:20:42.603226 |
Discourse: Stored XSS in discourse-ai shared conversations onebox
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted conversation titles. This payload would execute in the browser of any user viewing the onebox preview, potentially allowing session hijacking or unauthorized actions on behalf of the victim. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:39:38.318Z
Updated: 2026-04-03T16:18:12.209Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32143 |
vulnerable | 2026-06-03 15:20:42.010145 |
Discourse: Admin-only report can be exported by moderators
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for admins. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:39:25.635Z
Updated: 2026-04-01T18:05:32.105Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32113 |
vulnerable | 2026-06-03 15:20:41.947730 |
Discourse: Open redirect via `sso_destination_url` cookie in `enter`
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true without validating the destination URL. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies are client-controlled and can be set by attackers. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31T17:39:25.820Z
Updated: 2026-04-01T13:56:12.868Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.