VYPR

Bitnami package

discourse

pkg:bitnami/discourse

Vulnerabilities (246)

  • CVE-2026-33073MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in

  • CVE-2026-32951MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a cat

  • CVE-2026-32620MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see.

  • CVE-2026-32619MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic (e.g., removed from a private category group) could still interact with

  • CVE-2026-32618MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue ha

  • CVE-2026-32615MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did n

  • CVE-2026-32607MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabled (defaults to false, requires console a

  • CVE-2026-32273MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS a

  • CVE-2026-32243MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript

  • CVE-2026-32143MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictio

  • CVE-2026-32113MedMar 31, 2026
    affected >= 2026.1.0, < 2026.1.3fixed 2026.1.3

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_

  • CVE-2026-33428Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index end

  • CVE-2026-33427Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against

  • CVE-2026-33426Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026.

  • CVE-2026-33425Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenticated users can determine whether a specific user is a member of a private group by observing changes in directory results when using the `exclude_groups` param

  • CVE-2026-33424Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain

  • CVE-2026-33423Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

  • CVE-2026-33422Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `ip_address` of a flagged user is exposed to any user who can access the review queue, including users who should not be able to see IP addresses. Versions 2026.3.0-

  • CVE-2026-33411Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that t

  • CVE-2026-33291Mar 20, 2026
    affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This affects all forums that use the Zendesk plugin. Versions 2026.3.0-latest.1, 2026.2.

Page 2 of 13