Unrated severityNVD Advisory· Published Feb 26, 2026· Updated Mar 3, 2026
Discourse has SQL injection in PM tag filtering
CVE-2026-27149
Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (list_private_messages_tag) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Affected products
3prior to 2025.12.2, 2026.1.1, 2026.2.0+ 1 more
- (no CPE)range: prior to 2025.12.2, 2026.1.1, 2026.2.0
- (no CPE)range: < 2025.12.2
Patches
Vulnerability mechanics
References
1- github.com/discourse/discourse/security/advisories/GHSA-m6qf-h49w-h38wmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.