VYPR

Bitnami package

discourse

pkg:bitnami/discourse

Vulnerabilities (246)

  • CVE-2026-47264MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering agains

  • CVE-2026-47263MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the MessageBus.publish call for /web_hook_events/ in Jobs::RedeliverWebHookEvents did not pass group_

  • CVE-2026-45775MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on

  • CVE-2026-45085MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-onl

  • CVE-2026-44786HigJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any M

  • CVE-2026-44785MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the AI "explain" helper only checks can_see? on the post being explained, not its reply_to_post, so any a

  • CVE-2026-44784MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credenti

  • CVE-2026-44783MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configur

  • CVE-2026-44782MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include_user_long_name? as the predicate for its :name attribute, but AMS lo

  • CVE-2026-44780MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via i

  • CVE-2026-44779MedJun 12, 2026
    affected >= 2026.1.0, < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, bot debug endpoints disclose whisper translation audit logs. This issue has been patched in versions 2026

  • CVE-2026-34154MedMay 19, 2026
    affected < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has bee

  • CVE-2026-33514MedMay 19, 2026
    affected < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are inte

  • CVE-2026-32244MedMay 19, 2026
    affected < 2026.1.4fixed 2026.1.4

    Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versio

  • CVE-2026-34947MedApr 3, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. Thi

  • CVE-2026-27481MedApr 3, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden (staff-

  • CVE-2026-33415LowMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categ

  • CVE-2026-33300MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get inform

  • CVE-2026-33185MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to

  • CVE-2026-33074MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes alo

Page 1 of 13