Bitnami package
discourse
pkg:bitnami/discourse
Vulnerabilities (233)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33426 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026. | ||
| CVE-2026-33425 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenticated users can determine whether a specific user is a member of a private group by observing changes in directory results when using the `exclude_groups` param | ||
| CVE-2026-33424 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain | ||
| CVE-2026-33423 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available. | ||
| CVE-2026-33422 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `ip_address` of a flagged user is exposed to any user who can access the review queue, including users who should not be able to see IP addresses. Versions 2026.3.0- | ||
| CVE-2026-33411 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that t | ||
| CVE-2026-33291 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This affects all forums that use the Zendesk plugin. Versions 2026.3.0-latest.1, 2026.2. | ||
| CVE-2026-33251 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026 | ||
| CVE-2026-32114 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, there is an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access metadata about AI personas, features, and LLM models by pro | ||
| CVE-2026-31869 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hid | ||
| CVE-2026-31805 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access t | ||
| CVE-2026-30891 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization checks in the user actions endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026. | ||
| CVE-2026-30889 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and | ||
| CVE-2026-30888 | — | < 2026.3.0 | 2026.3.0 | Mar 20, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, | ||
| CVE-2026-33408 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No kn | ||
| CVE-2026-33395 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT g | ||
| CVE-2026-33394 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who s | ||
| CVE-2026-33393 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection w | ||
| CVE-2026-33355 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Version | ||
| CVE-2026-33410 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` paramet |
- CVE-2026-33426Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026.
- CVE-2026-33425Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenticated users can determine whether a specific user is a member of a private group by observing changes in directory results when using the `exclude_groups` param
- CVE-2026-33424Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain
- CVE-2026-33423Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
- CVE-2026-33422Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `ip_address` of a flagged user is exposed to any user who can access the review queue, including users who should not be able to see IP addresses. Versions 2026.3.0-
- CVE-2026-33411Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that t
- CVE-2026-33291Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This affects all forums that use the Zendesk plugin. Versions 2026.3.0-latest.1, 2026.2.
- CVE-2026-33251Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026
- CVE-2026-32114Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, there is an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access metadata about AI personas, features, and LLM models by pro
- CVE-2026-31869Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hid
- CVE-2026-31805Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access t
- CVE-2026-30891Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization checks in the user actions endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.
- CVE-2026-30889Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and
- CVE-2026-30888Mar 20, 2026affected < 2026.3.0fixed 2026.3.0
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1,
- CVE-2026-33408Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No kn
- CVE-2026-33395Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT g
- CVE-2026-33394Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who s
- CVE-2026-33393Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection w
- CVE-2026-33355Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Version
- CVE-2026-33410Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` paramet
Page 2 of 12