VYPR
Vendor

Discourse (software)

Discourse is an open source Internet forum system released on August 26, 2014. It was founded by Jeff Atwood, Robin Ward, and Sam Saffron.

Founded 2013
Products
14
CVEs
284
Across products
289
Status
Private

Products

14

Recent CVEs

284
View all 284 CVEs →
  • CVE-2024-54142CriJan 14, 2025
    risk 0.52cvss 9.0epss 0.00

    Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation.…

  • CVE-2026-44786HigJun 12, 2026
    risk 0.42cvss 7.5epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any…

  • CVE-2026-45775MedJun 12, 2026
    risk 0.37cvss 6.8epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator…

  • CVE-2026-44784MedJun 12, 2026
    risk 0.35cvss 6.5epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP…

  • CVE-2026-33300MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get…

  • CVE-2026-32143MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility…

  • CVE-2024-43408MedAug 20, 2024
    risk 0.34cvss 6.3epss 0.00

    Discourse Placeholder Forms will let you build dynamic documentation. Unsanitized and stored user input was injected in the html of the post. The vulnerability is fixed in commit a62f711d5600e4e5d86f342d52932cb6221672e7.

  • CVE-2026-32113MedMar 31, 2026
    risk 0.33cvss 6.1epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with…

  • CVE-2026-44783MedJun 12, 2026
    risk 0.28cvss 5.4epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups…

  • CVE-2026-32615MedMar 31, 2026
    risk 0.28cvss 5.4epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did…

  • CVE-2026-32607MedMar 31, 2026
    risk 0.28cvss 5.4epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabled (defaults to false, requires console…

  • CVE-2026-32273MedMar 31, 2026
    risk 0.28cvss 5.4epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS…

  • CVE-2026-32243MedMar 31, 2026
    risk 0.28cvss 5.4epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and…

  • CVE-2025-11983MedNov 1, 2025
    risk 0.28cvss 4.3epss 0.00

    The WP Discourse plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5.9. This is due to the plugin unconditionally sending Discourse API credentials (Api-Key and Api-Username headers) to any host specified in a post's…

  • CVE-2026-47264MedJun 12, 2026
    risk 0.27cvss 5.3epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering…

  • CVE-2026-45085MedJun 12, 2026
    risk 0.27cvss 5.3epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar):…

  • CVE-2026-34154MedMay 19, 2026
    risk 0.27cvss 5.3epss 0.00

    Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has…

  • CVE-2026-32244MedMay 19, 2026
    risk 0.27cvss 5.3epss 0.00

    Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in…

  • CVE-2026-34947MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification.…

  • CVE-2026-27481MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden…