Discourse 2.9.0 Beta 9
Approved changes feed: RSS · Atom
cpe:2.3:a:discourse:discourse:2.9.0:beta9:*:*:*:*:*:*
part: a version: 2.9.0 update: beta9
| Vendor | Discourse (2d3c125b-857a-5933-b846-ed7f9d5e0225) |
|---|---|
| Product | Discourse (4347364d-ae10-5ab6-a9ec-6e7dcaf78dd8) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/discourse/discourse |
purl2cpe | 2026-06-01 10:13:03.519118 |
pkg:rpm/opensuse/discourse |
purl2cpe | 2026-06-01 10:13:03.519119 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2022-41944 |
vulnerable | 2026-06-03 14:48:11.879888 |
Discourse users can see notifications for topics they no longer have access to
LOW (3.5)
Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available.
Published: 2022-11-28T00:00:00.000Z
Updated: 2025-04-23T16:34:25.779Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-41921 |
vulnerable | 2026-06-03 14:48:11.833616 |
Discourse chat messages should have a maximum character limit
LOW (3.5)
Discourse is an open-source discussion platform. Prior to version 2.9.0.beta13, users can post chat messages of an unlimited length, which can cause a denial of service for other users when posting huge amounts of text. Users should upgrade to version 2.9.0.beta13, where a limit has been introduced. No known workarounds are available.
Published: 2022-11-28T00:00:00.000Z
Updated: 2025-04-23T16:34:31.783Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-39378 |
vulnerable | 2026-06-03 14:47:51.570751 |
Displaying user badges can leak topic titles to users that have no access to the topic
MEDIUM (5.3)
Discourse is a platform for community discussion. Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be viewed by any user. If there are sensitive information in the topic title, it will therefore have been exposed. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are currently no known workarounds available.
Published: 2022-11-02T00:00:00.000Z
Updated: 2025-04-23T16:41:39.544Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-39356 |
vulnerable | 2026-06-03 14:47:51.538221 |
Discourse user account takeover via email and invite link
HIGH (8.9)
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses.
Published: 2022-11-02T00:00:00.000Z
Updated: 2025-04-23T16:41:45.660Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-39241 |
vulnerable | 2026-06-03 14:47:51.304995 |
Possible Server-Side Request Forgery (SSRF) in webhooks
HIGH (7.6)
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.
Published: 2022-11-02T00:00:00.000Z
Updated: 2025-04-23T16:41:51.692Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-39232 |
vulnerable | 2026-06-03 14:47:51.288296 |
Discourse vulnerable to incomplete quote causing a topic to crash in the browser
MEDIUM (6.5)
Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to ensure incomplete quotes won't break the app. As a workaround, the quote can be fixed via the rails console.
Published: 2022-09-29T20:15:14.000Z
Updated: 2025-04-23T16:53:30.137Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-39226 |
vulnerable | 2026-06-03 14:47:51.280099 |
Discourse user profile location and website fields were not sufficiently length-limited
MEDIUM (4.3)
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other users when loading that profile. A fix to limit the length of user input for these fields is included in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.
Published: 2022-09-29T20:05:11.000Z
Updated: 2025-04-23T16:53:35.523Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-36068 |
vulnerable | 2026-06-03 14:47:39.341610 |
Discourse moderators can edit themes via the API
HIGH (7.2)
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.
Published: 2022-09-29T19:45:13.000Z
Updated: 2025-04-23T16:53:41.566Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-36066 |
vulnerable | 2026-06-03 14:47:39.337500 |
Discourse vulnerable to RCE via admins uploading maliciously zipped file
CRITICAL (9.1)
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.
Published: 2022-09-29T19:35:09.000Z
Updated: 2025-04-23T16:53:48.162Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.