Search criteria
498 vulnerabilities found for discourse by discourse
CVE-2026-24742 (GCVE-0-2026-24742)
Vulnerability from nvd – Published: 2026-01-28 20:11 – Updated: 2026-01-28 20:35
VLAI?
Title
Discourse staff action logs expose sensitive information to moderators
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access.
Severity ?
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:30:38.360494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:35:27.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:11:30.982Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6"
}
],
"source": {
"advisory": "GHSA-hwjv-9gqj-m7h6",
"discovery": "UNKNOWN"
},
"title": "Discourse staff action logs expose sensitive information to moderators"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24742",
"datePublished": "2026-01-28T20:11:30.982Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-01-28T20:35:27.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23743 (GCVE-0-2026-23743)
Vulnerability from nvd – Published: 2026-01-28 20:07 – Updated: 2026-01-28 21:07
VLAI?
Title
Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:52:39.923679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T21:07:37.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn\u0027t have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page\u0027s search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:07:21.266Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv"
}
],
"source": {
"advisory": "GHSA-v5jw-rxc6-4cvv",
"discovery": "UNKNOWN"
},
"title": "Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23743",
"datePublished": "2026-01-28T20:07:21.266Z",
"dateReserved": "2026-01-15T15:45:01.958Z",
"dateUpdated": "2026-01-28T21:07:37.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21865 (GCVE-0-2026-21865)
Vulnerability from nvd – Published: 2026-01-28 19:51 – Updated: 2026-01-28 20:10
VLAI?
Title
Discourse topic conversion permission vulnerability for moderators
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:09:33.152008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:10:06.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn\u0027t have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the \"personal message enabled groups\" site setting until the Discourse instance has been upgraded to a version that has been patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:51:37.991Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39"
}
],
"source": {
"advisory": "GHSA-4777-wrv5-3g39",
"discovery": "UNKNOWN"
},
"title": "Discourse topic conversion permission vulnerability for moderators"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21865",
"datePublished": "2026-01-28T19:51:37.991Z",
"dateReserved": "2026-01-05T16:44:16.368Z",
"dateUpdated": "2026-01-28T20:10:06.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69218 (GCVE-0-2025-69218)
Vulnerability from nvd – Published: 2026-01-28 19:30 – Updated: 2026-01-28 19:45
VLAI?
Title
Discourse moderators can access admin-only reports exposing private upload URLs
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:45:04.367808Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:45:12.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:30:28.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w"
}
],
"source": {
"advisory": "GHSA-79f9-j8h4-3w6w",
"discovery": "UNKNOWN"
},
"title": "Discourse moderators can access admin-only reports exposing private upload URLs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69218",
"datePublished": "2026-01-28T19:30:28.793Z",
"dateReserved": "2025-12-29T15:03:18.680Z",
"dateUpdated": "2026-01-28T19:45:12.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69289 (GCVE-0-2025-69289)
Vulnerability from nvd – Published: 2026-01-28 19:33 – Updated: 2026-01-28 20:15
VLAI?
Title
Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change
Summary
Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:13:19.827893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:15:03.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the \"require_change_email_confirmation\" setting."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:49:35.501Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq"
}
],
"source": {
"advisory": "GHSA-p39j-x54c-rwqq",
"discovery": "UNKNOWN"
},
"title": "Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69289",
"datePublished": "2026-01-28T19:33:58.921Z",
"dateReserved": "2025-12-31T16:40:52.676Z",
"dateUpdated": "2026-01-28T20:15:03.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68934 (GCVE-0-2025-68934)
Vulnerability from nvd – Published: 2026-01-28 19:19 – Updated: 2026-01-28 19:46
VLAI?
Title
Discourse Has Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path.
Severity ?
6.5 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:46:05.140072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:46:16.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:19:59.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849"
}
],
"source": {
"advisory": "GHSA-vwjh-vrx9-9849",
"discovery": "UNKNOWN"
},
"title": "Discourse Has Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68934",
"datePublished": "2026-01-28T19:19:59.627Z",
"dateReserved": "2025-12-24T23:59:23.392Z",
"dateUpdated": "2026-01-28T19:46:16.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68666 (GCVE-0-2025-68666)
Vulnerability from nvd – Published: 2026-01-28 19:14 – Updated: 2026-01-28 20:20
VLAI?
Title
Discourse users archives leaked to users with moderation privileges
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:17:32.203334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:20:50.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:14:09.984Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv"
}
],
"source": {
"advisory": "GHSA-xmvw-jjqq-25mv",
"discovery": "UNKNOWN"
},
"title": "Discourse users archives leaked to users with moderation privileges"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68666",
"datePublished": "2026-01-28T19:14:09.984Z",
"dateReserved": "2025-12-22T23:28:02.917Z",
"dateUpdated": "2026-01-28T20:20:50.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68933 (GCVE-0-2025-68933)
Vulnerability from nvd – Published: 2026-01-28 19:17 – Updated: 2026-01-28 20:16
VLAI?
Title
Discourse non-admin moderators can exfiltrate private content via post ownership transfer
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature.
Severity ?
6.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:15:21.675325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:16:21.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:26:43.099Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2"
}
],
"source": {
"advisory": "GHSA-hpxv-mw7v-fqg2",
"discovery": "UNKNOWN"
},
"title": "Discourse non-admin moderators can exfiltrate private content via post ownership transfer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68933",
"datePublished": "2026-01-28T19:17:23.713Z",
"dateReserved": "2025-12-24T23:59:23.392Z",
"dateUpdated": "2026-01-28T20:16:21.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68662 (GCVE-0-2025-68662)
Vulnerability from nvd – Published: 2026-01-28 19:12 – Updated: 2026-01-28 20:21
VLAI?
Title
FinalDestination hostname matching allows SSRF protection bypass
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
7.6 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:21:10.490100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:21:50.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:27:08.527Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c"
}
],
"source": {
"advisory": "GHSA-gcfp-rjfc-925c",
"discovery": "UNKNOWN"
},
"title": "FinalDestination hostname matching allows SSRF protection bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68662",
"datePublished": "2026-01-28T19:12:24.903Z",
"dateReserved": "2025-12-22T23:28:02.916Z",
"dateUpdated": "2026-01-28T20:21:50.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68479 (GCVE-0-2025-68479)
Vulnerability from nvd – Published: 2026-01-28 18:34 – Updated: 2026-01-29 18:11
VLAI?
Title
Discourse subscriptions are susceptible to takeover
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
7.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T16:04:12.315838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:11:42.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:28:16.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327"
}
],
"source": {
"advisory": "GHSA-6gjr-5897-m327",
"discovery": "UNKNOWN"
},
"title": "Discourse subscriptions are susceptible to takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68479",
"datePublished": "2026-01-28T18:34:00.486Z",
"dateReserved": "2025-12-18T18:29:07.309Z",
"dateUpdated": "2026-01-29T18:11:42.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68660 (GCVE-0-2025-68660)
Vulnerability from nvd – Published: 2026-01-28 18:55 – Updated: 2026-01-28 19:27
VLAI?
Title
Discourse AI Discover's continue conversation allows threat actor to impersonate user
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68660",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:14:05.420094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:15:09.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:27:18.739Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-mrvm-rprq-jqqh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-mrvm-rprq-jqqh"
}
],
"source": {
"advisory": "GHSA-mrvm-rprq-jqqh",
"discovery": "UNKNOWN"
},
"title": "Discourse AI Discover\u0027s continue conversation allows threat actor to impersonate user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68660",
"datePublished": "2026-01-28T18:55:11.557Z",
"dateReserved": "2025-12-22T17:55:15.946Z",
"dateUpdated": "2026-01-28T19:27:18.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68659 (GCVE-0-2025-68659)
Vulnerability from nvd – Published: 2026-01-28 18:51 – Updated: 2026-01-28 20:20
VLAI?
Title
Discourse has DoS vulnerability in username change endpoint
Summary
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
4.3 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:20:14.148307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:20:41.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:27:29.711Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p"
}
],
"source": {
"advisory": "GHSA-rmp6-c9rq-6q7p",
"discovery": "UNKNOWN"
},
"title": "Discourse has DoS vulnerability in username change endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68659",
"datePublished": "2026-01-28T18:51:40.341Z",
"dateReserved": "2025-12-22T17:55:15.946Z",
"dateUpdated": "2026-01-28T20:20:41.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67723 (GCVE-0-2025-67723)
Vulnerability from nvd – Published: 2026-01-28 18:21 – Updated: 2026-01-28 19:28
VLAI?
Title
Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin
Summary
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:05:28.048224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:05:36.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:28:24.714Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379"
}
],
"source": {
"advisory": "GHSA-955h-m28g-5379",
"discovery": "UNKNOWN"
},
"title": "Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67723",
"datePublished": "2026-01-28T18:21:35.379Z",
"dateReserved": "2025-12-10T19:25:20.819Z",
"dateUpdated": "2026-01-28T19:28:24.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66488 (GCVE-0-2025-66488)
Vulnerability from nvd – Published: 2026-01-28 18:15 – Updated: 2026-01-28 19:29
VLAI?
Title
Discourse allows script execution in uploaded HTML/XML files on S3
Summary
Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them.
Severity ?
4.6 (Medium)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T18:28:39.719089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T18:28:50.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:29:11.123Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx"
}
],
"source": {
"advisory": "GHSA-68jp-3934-62rx",
"discovery": "UNKNOWN"
},
"title": "Discourse allows script execution in uploaded HTML/XML files on S3"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66488",
"datePublished": "2026-01-28T18:15:52.902Z",
"dateReserved": "2025-12-02T22:44:04.706Z",
"dateUpdated": "2026-01-28T19:29:11.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64528 (GCVE-0-2025-64528)
Vulnerability from nvd – Published: 2025-12-30 16:04 – Updated: 2025-12-30 18:11
VLAI?
Title
Users are able to find users by name even when `enable_names` is off
Summary
Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix.
Severity ?
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-30T18:10:27.701529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T18:11:53.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.1"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T16:04:10.093Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4"
},
{
"name": "https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81"
},
{
"name": "https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df"
},
{
"name": "https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2"
}
],
"source": {
"advisory": "GHSA-c59w-jwx7-34v4",
"discovery": "UNKNOWN"
},
"title": "Users are able to find users by name even when `enable_names` is off"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64528",
"datePublished": "2025-12-30T16:04:10.093Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-12-30T18:11:53.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24742 (GCVE-0-2026-24742)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:11 – Updated: 2026-01-28 20:35
VLAI?
Title
Discourse staff action logs expose sensitive information to moderators
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access.
Severity ?
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:30:38.360494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:35:27.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:11:30.982Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6"
}
],
"source": {
"advisory": "GHSA-hwjv-9gqj-m7h6",
"discovery": "UNKNOWN"
},
"title": "Discourse staff action logs expose sensitive information to moderators"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24742",
"datePublished": "2026-01-28T20:11:30.982Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-01-28T20:35:27.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23743 (GCVE-0-2026-23743)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:07 – Updated: 2026-01-28 21:07
VLAI?
Title
Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:52:39.923679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T21:07:37.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn\u0027t have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page\u0027s search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:07:21.266Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv"
}
],
"source": {
"advisory": "GHSA-v5jw-rxc6-4cvv",
"discovery": "UNKNOWN"
},
"title": "Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23743",
"datePublished": "2026-01-28T20:07:21.266Z",
"dateReserved": "2026-01-15T15:45:01.958Z",
"dateUpdated": "2026-01-28T21:07:37.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21865 (GCVE-0-2026-21865)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:51 – Updated: 2026-01-28 20:10
VLAI?
Title
Discourse topic conversion permission vulnerability for moderators
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:09:33.152008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:10:06.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn\u0027t have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the \"personal message enabled groups\" site setting until the Discourse instance has been upgraded to a version that has been patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:51:37.991Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39"
}
],
"source": {
"advisory": "GHSA-4777-wrv5-3g39",
"discovery": "UNKNOWN"
},
"title": "Discourse topic conversion permission vulnerability for moderators"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21865",
"datePublished": "2026-01-28T19:51:37.991Z",
"dateReserved": "2026-01-05T16:44:16.368Z",
"dateUpdated": "2026-01-28T20:10:06.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69289 (GCVE-0-2025-69289)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:33 – Updated: 2026-01-28 20:15
VLAI?
Title
Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change
Summary
Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:13:19.827893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:15:03.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the \"require_change_email_confirmation\" setting."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:49:35.501Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq"
}
],
"source": {
"advisory": "GHSA-p39j-x54c-rwqq",
"discovery": "UNKNOWN"
},
"title": "Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69289",
"datePublished": "2026-01-28T19:33:58.921Z",
"dateReserved": "2025-12-31T16:40:52.676Z",
"dateUpdated": "2026-01-28T20:15:03.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69218 (GCVE-0-2025-69218)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-28 19:45
VLAI?
Title
Discourse moderators can access admin-only reports exposing private upload URLs
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:45:04.367808Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:45:12.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:30:28.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w"
}
],
"source": {
"advisory": "GHSA-79f9-j8h4-3w6w",
"discovery": "UNKNOWN"
},
"title": "Discourse moderators can access admin-only reports exposing private upload URLs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69218",
"datePublished": "2026-01-28T19:30:28.793Z",
"dateReserved": "2025-12-29T15:03:18.680Z",
"dateUpdated": "2026-01-28T19:45:12.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68934 (GCVE-0-2025-68934)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:19 – Updated: 2026-01-28 19:46
VLAI?
Title
Discourse Has Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path.
Severity ?
6.5 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:46:05.140072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:46:16.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:19:59.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849"
}
],
"source": {
"advisory": "GHSA-vwjh-vrx9-9849",
"discovery": "UNKNOWN"
},
"title": "Discourse Has Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68934",
"datePublished": "2026-01-28T19:19:59.627Z",
"dateReserved": "2025-12-24T23:59:23.392Z",
"dateUpdated": "2026-01-28T19:46:16.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68933 (GCVE-0-2025-68933)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:17 – Updated: 2026-01-28 20:16
VLAI?
Title
Discourse non-admin moderators can exfiltrate private content via post ownership transfer
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature.
Severity ?
6.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:15:21.675325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:16:21.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:26:43.099Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2"
}
],
"source": {
"advisory": "GHSA-hpxv-mw7v-fqg2",
"discovery": "UNKNOWN"
},
"title": "Discourse non-admin moderators can exfiltrate private content via post ownership transfer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68933",
"datePublished": "2026-01-28T19:17:23.713Z",
"dateReserved": "2025-12-24T23:59:23.392Z",
"dateUpdated": "2026-01-28T20:16:21.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68666 (GCVE-0-2025-68666)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:14 – Updated: 2026-01-28 20:20
VLAI?
Title
Discourse users archives leaked to users with moderation privileges
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:17:32.203334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:20:50.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:14:09.984Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv"
}
],
"source": {
"advisory": "GHSA-xmvw-jjqq-25mv",
"discovery": "UNKNOWN"
},
"title": "Discourse users archives leaked to users with moderation privileges"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68666",
"datePublished": "2026-01-28T19:14:09.984Z",
"dateReserved": "2025-12-22T23:28:02.917Z",
"dateUpdated": "2026-01-28T20:20:50.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68662 (GCVE-0-2025-68662)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:12 – Updated: 2026-01-28 20:21
VLAI?
Title
FinalDestination hostname matching allows SSRF protection bypass
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
7.6 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:21:10.490100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:21:50.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:27:08.527Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c"
}
],
"source": {
"advisory": "GHSA-gcfp-rjfc-925c",
"discovery": "UNKNOWN"
},
"title": "FinalDestination hostname matching allows SSRF protection bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68662",
"datePublished": "2026-01-28T19:12:24.903Z",
"dateReserved": "2025-12-22T23:28:02.916Z",
"dateUpdated": "2026-01-28T20:21:50.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68660 (GCVE-0-2025-68660)
Vulnerability from cvelistv5 – Published: 2026-01-28 18:55 – Updated: 2026-01-28 19:27
VLAI?
Title
Discourse AI Discover's continue conversation allows threat actor to impersonate user
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68660",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:14:05.420094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:15:09.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:27:18.739Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-mrvm-rprq-jqqh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-mrvm-rprq-jqqh"
}
],
"source": {
"advisory": "GHSA-mrvm-rprq-jqqh",
"discovery": "UNKNOWN"
},
"title": "Discourse AI Discover\u0027s continue conversation allows threat actor to impersonate user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68660",
"datePublished": "2026-01-28T18:55:11.557Z",
"dateReserved": "2025-12-22T17:55:15.946Z",
"dateUpdated": "2026-01-28T19:27:18.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68659 (GCVE-0-2025-68659)
Vulnerability from cvelistv5 – Published: 2026-01-28 18:51 – Updated: 2026-01-28 20:20
VLAI?
Title
Discourse has DoS vulnerability in username change endpoint
Summary
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
4.3 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T20:20:14.148307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:20:41.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:27:29.711Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p"
}
],
"source": {
"advisory": "GHSA-rmp6-c9rq-6q7p",
"discovery": "UNKNOWN"
},
"title": "Discourse has DoS vulnerability in username change endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68659",
"datePublished": "2026-01-28T18:51:40.341Z",
"dateReserved": "2025-12-22T17:55:15.946Z",
"dateUpdated": "2026-01-28T20:20:41.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68479 (GCVE-0-2025-68479)
Vulnerability from cvelistv5 – Published: 2026-01-28 18:34 – Updated: 2026-01-29 18:11
VLAI?
Title
Discourse subscriptions are susceptible to takeover
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Severity ?
7.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T16:04:12.315838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:11:42.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:28:16.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327"
}
],
"source": {
"advisory": "GHSA-6gjr-5897-m327",
"discovery": "UNKNOWN"
},
"title": "Discourse subscriptions are susceptible to takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68479",
"datePublished": "2026-01-28T18:34:00.486Z",
"dateReserved": "2025-12-18T18:29:07.309Z",
"dateUpdated": "2026-01-29T18:11:42.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67723 (GCVE-0-2025-67723)
Vulnerability from cvelistv5 – Published: 2026-01-28 18:21 – Updated: 2026-01-28 19:28
VLAI?
Title
Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin
Summary
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:05:28.048224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:05:36.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:28:24.714Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379"
}
],
"source": {
"advisory": "GHSA-955h-m28g-5379",
"discovery": "UNKNOWN"
},
"title": "Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67723",
"datePublished": "2026-01-28T18:21:35.379Z",
"dateReserved": "2025-12-10T19:25:20.819Z",
"dateUpdated": "2026-01-28T19:28:24.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66488 (GCVE-0-2025-66488)
Vulnerability from cvelistv5 – Published: 2026-01-28 18:15 – Updated: 2026-01-28 19:29
VLAI?
Title
Discourse allows script execution in uploaded HTML/XML files on S3
Summary
Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them.
Severity ?
4.6 (Medium)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T18:28:39.719089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T18:28:50.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.4"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:29:11.123Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx"
}
],
"source": {
"advisory": "GHSA-68jp-3934-62rx",
"discovery": "UNKNOWN"
},
"title": "Discourse allows script execution in uploaded HTML/XML files on S3"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66488",
"datePublished": "2026-01-28T18:15:52.902Z",
"dateReserved": "2025-12-02T22:44:04.706Z",
"dateUpdated": "2026-01-28T19:29:11.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64528 (GCVE-0-2025-64528)
Vulnerability from cvelistv5 – Published: 2025-12-30 16:04 – Updated: 2025-12-30 18:11
VLAI?
Title
Users are able to find users by name even when `enable_names` is off
Summary
Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix.
Severity ?
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-30T18:10:27.701529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T18:11:53.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.1"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T16:04:10.093Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4"
},
{
"name": "https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81"
},
{
"name": "https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df"
},
{
"name": "https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2"
}
],
"source": {
"advisory": "GHSA-c59w-jwx7-34v4",
"discovery": "UNKNOWN"
},
"title": "Users are able to find users by name even when `enable_names` is off"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64528",
"datePublished": "2025-12-30T16:04:10.093Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-12-30T18:11:53.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}