Discourse 2.9.0 Beta 11
Approved changes feed: RSS · Atom
cpe:2.3:a:discourse:discourse:2.9.0:beta11:*:*:*:*:*:*
part: a version: 2.9.0 update: beta11
| Vendor | Discourse (2d3c125b-857a-5933-b846-ed7f9d5e0225) |
|---|---|
| Product | Discourse (4347364d-ae10-5ab6-a9ec-6e7dcaf78dd8) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/discourse/discourse |
purl2cpe | 2026-06-01 10:13:03.519055 |
pkg:rpm/opensuse/discourse |
purl2cpe | 2026-06-01 10:13:03.519056 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2022-46168 |
vulnerable | 2026-06-03 14:48:25.620288 |
Group SMTP user emails are exposed in CC email header
LOW (3.5)
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta15 on the `beta` and `tests-passed` branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is not an issue as they are likely already familiar with one another's email addresses. This issue is patched in versions 2.8.14 and 2.9.0.beta15. The fix is that someone sending emails out via group SMTP to non-staged users masks those emails with blind carbon copy (BCC). Staged users are ones that have likely only interacted with the group via email, and will likely include other people who were CC'd on the original email to the group. As a workaround, disable group SMTP for any groups that have it enabled.
Published: 2023-01-05T17:18:58.143Z
Updated: 2025-03-10T21:32:09.707Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-46159 |
vulnerable | 2026-06-03 14:48:25.595340 |
Any authenticated Discourse user can create an unlisted topic
MEDIUM (4.3)
Discourse is an open-source discussion platform. In version 2.8.13 and prior on the `stable` branch and version 2.9.0.beta14 and prior on the `beta` and `tests-passed` branches, any authenticated user can create an unlisted topic. These topics, which are not readily available to other users, can take up unnecessary site resources. A patch for this issue is available in the `main` branch of Discourse. There are no known workarounds available.
Published: 2022-12-02T14:15:11.740Z
Updated: 2025-04-23T16:33:08.773Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-46150 |
vulnerable | 2026-06-03 14:48:25.573298 |
Discourse may allow exposure of hidden tags in the subject of notification emails
MEDIUM (4.3)
Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to. This issue is patched in version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches. As a workaround, use the `disable_email` site setting to disable all emails to non-staff users.
Published: 2022-11-29T00:00:00.000Z
Updated: 2025-04-23T16:33:56.607Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-46148 |
vulnerable | 2026-06-03 14:48:25.565553 |
Discourse allows self-XSS through malicious composer message
HIGH (7.1)
Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the `stable` branch and versions 2.9.0.beta11 and prior on the `beta` and `tests-passed` branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Published: 2022-11-29T00:00:00.000Z
Updated: 2025-04-23T16:34:02.080Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-41944 |
vulnerable | 2026-06-03 14:48:11.879731 |
Discourse users can see notifications for topics they no longer have access to
LOW (3.5)
Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available.
Published: 2022-11-28T00:00:00.000Z
Updated: 2025-04-23T16:34:25.779Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-41921 |
vulnerable | 2026-06-03 14:48:11.828665 |
Discourse chat messages should have a maximum character limit
LOW (3.5)
Discourse is an open-source discussion platform. Prior to version 2.9.0.beta13, users can post chat messages of an unlimited length, which can cause a denial of service for other users when posting huge amounts of text. Users should upgrade to version 2.9.0.beta13, where a limit has been introduced. No known workarounds are available.
Published: 2022-11-28T00:00:00.000Z
Updated: 2025-04-23T16:34:31.783Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-23549 |
vulnerable | 2026-06-03 14:46:27.656745 |
Discourse vulnerable to bypass of post max_length using HTML comments
MEDIUM (5.7)
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.
Published: 2023-01-05T00:00:00.000Z
Updated: 2025-03-10T21:32:15.478Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-23548 |
vulnerable | 2026-06-03 14:46:27.653653 |
Details available
MEDIUM (6.5)
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.
Published: 2023-01-05T00:00:00.000Z
Updated: 2025-03-10T21:32:22.096Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-23546 |
vulnerable | 2026-06-03 14:46:27.645341 |
Discourse vulnerable to private topic leak via email#send_digest
MEDIUM (5.5)
In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin's digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue.
Published: 2023-01-05T18:10:08.048Z
Updated: 2025-03-10T21:32:03.679Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.