Vulnerabilities in Discourse
279 resultsCVE-2026-33424MEDIUMPM access granted through invites after access revocationEPSS 0.2%CVE-2025-47288LOWDiscourse Policy plugin private group members visibleEPSS 0.2%CVE-2025-68660MEDIUMDiscourse AI Discover's continue conversation allows threat actor to impersonate userEPSS 0.2%CVE-2025-32376MEDIUMDiscourse DM limits aren’t always properly enforcedEPSS 0.2%CVE-2026-47264MEDIUMDiscourse: Don't leak restricted tag group names via tag infoEPSS 0.2%CVE-2026-31805MEDIUMDiscourse has a poll authorization bypass via post_id array parameterEPSS 0.2%CVE-2026-34154LOWDiscourse has a subscription access bypass in its discourse-subscriptions pluginEPSS 0.2%CVE-2026-30888LOWDiscourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpointEPSS 0.2%CVE-2026-34947LOWDiscourse: Staged user custom fields are exposed on public invite pagesEPSS 0.2%CVE-2026-47263MEDIUMDiscourse: Prevent webhook payload disclosure on event redeliveryEPSS 0.2%CVE-2026-32114MEDIUMDiscourse's unscoped status lookups leak restricted metadataEPSS 0.2%CVE-2026-33411MEDIUMDiscourse's solved topic stream has potential stored XSS in topic titleEPSS 0.2%CVE-2026-33427LOWDiscourse Authorization Page Displays Unvalidated Redirect DomainEPSS 0.2%CVE-2026-33425MEDIUMDiscourse has inferable private group membership or existence via exclude_groups parameterEPSS 0.2%CVE-2026-45085MEDIUMDiscourse: Chat misauthorization and information disclosureEPSS 0.2%CVE-2026-32620MEDIUMDiscourse: Missing post-level authorization allows whisper metadata disclosureEPSS 0.2%CVE-2026-32618MEDIUMDiscourse: Unauthorized channel membership inference via excluded_memberships_channel_idEPSS 0.2%CVE-2026-32951MEDIUMDiscourse: Authorization bypass in oneboxer via user-controlled category idEPSS 0.2%CVE-2025-69218HIGHDiscourse moderators can access admin-only reports exposing private upload URLsEPSS 0.2%CVE-2025-48062HIGHDiscourse vulnerable to HTML injection when inviting to topic via emailEPSS 0.2%