Unrated severityNVD Advisory· Published Oct 1, 2025· Updated Oct 2, 2025

Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments

CVE-2025-59337

Description

Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixed in version 3.5.1.

Affected products

Discourse (software)/Discoursev5
Range: < 3.5.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/43536b60d012cc8084e7e701d6afab9ba01e28a5mitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-7xjr-4f4g-9887mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000