Bitnami package
discourse
pkg:bitnami/discourse
Vulnerabilities (246)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27570 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, a | ||
| CVE-2026-27491 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerabi | ||
| CVE-2026-27454 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the | ||
| CVE-2026-27166 | — | >= 2026.1.0, < 2026.1.2 | 2026.1.2 | Mar 19, 2026 | Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in | ||
| CVE-2026-28227 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patc | ||
| CVE-2026-28219 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a | ||
| CVE-2026-28218 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. | ||
| CVE-2026-27154 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a | ||
| CVE-2026-27153 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in `can_export_entity?`. The method allowed moderators to export an | ||
| CVE-2026-27152 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an existing DM channel, byp | ||
| CVE-2026-27162 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use `Post.secured(guardian | ||
| CVE-2026-27151 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category gro | ||
| CVE-2026-27150 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access t | ||
| CVE-2026-27149 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 202 | ||
| CVE-2026-27021 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2 | ||
| CVE-2026-26979 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarou | ||
| CVE-2026-26973 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation grou | ||
| CVE-2026-26265 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_ | ||
| CVE-2026-26207 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyController` loads posts by ID without v | ||
| CVE-2026-26078 | — | < 2025.12.2 | 2025.12.2 | Feb 26, 2026 | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the reques |
- CVE-2026-27570Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, a
- CVE-2026-27491Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerabi
- CVE-2026-27454Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the
- CVE-2026-27166Mar 19, 2026affected >= 2026.1.0, < 2026.1.2fixed 2026.1.2
Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in
- CVE-2026-28227Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patc
- CVE-2026-28219Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a
- CVE-2026-28218Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries.
- CVE-2026-27154Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => false. Editing a post of a
- CVE-2026-27153Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in `can_export_entity?`. The method allowed moderators to export an
- CVE-2026-27152Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an existing DM channel, byp
- CVE-2026-27162Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use `Post.secured(guardian
- CVE-2026-27151Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category gro
- CVE-2026-27150Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access t
- CVE-2026-27149Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 202
- CVE-2026-27021Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2
- CVE-2026-26979Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarou
- CVE-2026-26973Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation grou
- CVE-2026-26265Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_
- CVE-2026-26207Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyController` loads posts by ID without v
- CVE-2026-26078Feb 26, 2026affected < 2025.12.2fixed 2025.12.2
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the reques
Page 4 of 13