Bitnami package

discourse

pkg:bitnami/discourse

Vulnerabilities (233)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-32244	Med	5.3	< 2026.1.4	2026.1.4	May 19, 2026	Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versio
CVE-2026-34947	Med	5.3	>= 2026.1.0, < 2026.1.3	2026.1.3	Apr 3, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. Thi
CVE-2026-27481	Med	5.3	>= 2026.1.0, < 2026.1.3	2026.1.3	Apr 3, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden (staff-
CVE-2026-33415	Low	2.7	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categ
CVE-2026-33300	Med	6.5	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get inform
CVE-2026-33185	Med	5.0	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to
CVE-2026-33074	Med	5.3	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes alo
CVE-2026-33073	Med	5.3	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in
CVE-2026-32951	Med	4.3	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a cat
CVE-2026-32620	Med	4.3	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see.
CVE-2026-32619	Med	4.3	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic (e.g., removed from a private category group) could still interact with
CVE-2026-32618	Med	4.3	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue ha
CVE-2026-32615	Med	5.4	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did n
CVE-2026-32607	Med	5.4	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabled (defaults to false, requires console a
CVE-2026-32273	Med	5.4	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS a
CVE-2026-32243	Med	5.4	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript
CVE-2026-32143	Med	6.5	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictio
CVE-2026-32113	Med	6.1	>= 2026.1.0, < 2026.1.3	2026.1.3	Mar 31, 2026	Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_
CVE-2026-33428		—	>= 2026.1.0, < 2026.1.2	2026.1.2	Mar 20, 2026	Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index end
CVE-2026-33427		—	>= 2026.1.0, < 2026.1.2	2026.1.2	Mar 20, 2026	Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against

CVE-2026-32244MedMay 19, 2026
affected < 2026.1.4fixed 2026.1.4
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versio
CVE-2026-34947MedApr 3, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. Thi
CVE-2026-27481MedApr 3, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden (staff-
CVE-2026-33415LowMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categ
CVE-2026-33300MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get inform
CVE-2026-33185MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to
CVE-2026-33074MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes alo
CVE-2026-33073MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in
CVE-2026-32951MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a cat
CVE-2026-32620MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see.
CVE-2026-32619MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic (e.g., removed from a private category group) could still interact with
CVE-2026-32618MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue ha
CVE-2026-32615MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did n
CVE-2026-32607MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabled (defaults to false, requires console a
CVE-2026-32273MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS a
CVE-2026-32243MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript
CVE-2026-32143MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictio
CVE-2026-32113MedMar 31, 2026
affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_
CVE-2026-33428Mar 20, 2026
affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index end
CVE-2026-33427Mar 20, 2026
affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against

Page 1 of 12