CVE-2026-45780
Discourse: Private event sample invitees are serialized to non-invited event viewers
Vexday Risk Score
10Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.3EPSS —KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
09 jul 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Produtos afetados
discourse · discourseReferências
https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730https://github.com/discourse/discourse/releases/tag/v2026.1.5https://github.com/discourse/discourse/releases/tag/v2026.4.2https://github.com/discourse/discourse/releases/tag/v2026.5.1https://github.com/discourse/discourse/releases/tag/v2026.6.0https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7