Bitnami package
discourse
pkg:bitnami/discourse
Vulnerabilities (246)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33251 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026 | ||
| CVE-2026-32114 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, there is an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access metadata about AI personas, features, and LLM models by pro | ||
| CVE-2026-31869 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hid | ||
| CVE-2026-31805 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access t | ||
| CVE-2026-30891 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization checks in the user actions endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026. | ||
| CVE-2026-30889 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 20, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and | ||
| CVE-2026-30888 | — | < 2026.3.0 | 2026.3.0 | Mar 20, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, | ||
| CVE-2026-33408 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No kn | ||
| CVE-2026-33395 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT g | ||
| CVE-2026-33394 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who s | ||
| CVE-2026-33393 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection w | ||
| CVE-2026-33355 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Version | ||
| CVE-2026-33410 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` paramet | ||
| CVE-2026-32099 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, when a user has `hide_profile` enabled, their bio, location, and website were still exposed through the user onebox preview. An authenticated user could request a onebox | ||
| CVE-2026-29072 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-lates | ||
| CVE-2026-28282 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once m | ||
| CVE-2026-27936 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Versions 2026.3.0-latest.1, 2026.2. | ||
| CVE-2026-27935 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private to | ||
| CVE-2026-27934 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information dis | ||
| CVE-2026-27740 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a cross-site scripting vulnerability that arises because the system trusts the raw output from an AI Large Language Model (LLM) and renders it using htmlSafe in the R |
- CVE-2026-33251Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026
- CVE-2026-32114Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, there is an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access metadata about AI personas, features, and LLM models by pro
- CVE-2026-31869Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hid
- CVE-2026-31805Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access t
- CVE-2026-30891Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization checks in the user actions endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.
- CVE-2026-30889Mar 20, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and
- CVE-2026-30888Mar 20, 2026affected < 2026.3.0fixed 2026.3.0
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1,
- CVE-2026-33408Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No kn
- CVE-2026-33395Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript code through DOT g
- CVE-2026-33394Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who s
- CVE-2026-33393Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection w
- CVE-2026-33355Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Version
- CVE-2026-33410Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` paramet
- CVE-2026-32099Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, when a user has `hide_profile` enabled, their bio, location, and website were still exposed through the user onebox preview. An authenticated user could request a onebox
- CVE-2026-29072Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-lates
- CVE-2026-28282Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once m
- CVE-2026-27936Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Versions 2026.3.0-latest.1, 2026.2.
- CVE-2026-27935Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private to
- CVE-2026-27934Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information dis
- CVE-2026-27740Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a cross-site scripting vulnerability that arises because the system trusts the raw output from an AI Large Language Model (LLM) and renders it using htmlSafe in the R
Page 3 of 13