Discourse Security Vulnerabilities (CVEs)

This vulnerability in Discourse allows attackers to obtain sensitive information about private resources through URL redirects. When users without pro...

This CVE allows non-admin moderators in Discourse to view sensitive information in staff action logs that should be restricted to administrators only....

This vulnerability allows moderators in Discourse to improperly convert private personal messages into public topics, violating user privacy expectati...

This CVE allows moderators in Discourse to access the 'top_uploads' admin report, which should be restricted to administrators only. The report reveal...

A privilege escalation vulnerability in Discourse allows non-admin moderators to bypass email-change restrictions, potentially enabling account takeov...

This CVE allows Discourse moderators to view user archives containing private topic/post content, violating confidentiality. It affects Discourse inst...

This CVE allows non-admin moderators with post ownership transfer permissions to change ownership of posts in private messages and restricted categori...

This vulnerability allows authenticated users to submit specially crafted payloads to Discourse's drafts endpoint, causing O(n^2) processing that ties...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Discourse's FinalDestination component where hostname validation can be bypas...

This CVE describes an authorization bypass vulnerability in Discourse discussion platform where subscription endpoints lack proper ownership verificat...

Discourse versions before 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application-level denial of service vulnerability in the username change f...

This vulnerability in Discourse allows authenticated users to bypass AI persona access controls, gaining unauthorized access to staff-only AI personas...

This vulnerability in Discourse allows attackers to upload HTML or XML files to S3 storage that can execute scripts in the context of the S3/CDN domai...

This CVE describes a content-security-policy-mitigated cross-site scripting (XSS) vulnerability in Discourse's Math plugin when using the KaTeX varian...

This vulnerability in Discourse allows attackers to discover users' full names even when the 'enable_names' setting is disabled, by using partial user...

Discourse versions 3.5.0 and below contain an authorization bypass vulnerability in AI suggestion endpoints. Authenticated users can access restricted...

Discourse users on vulnerable versions can continue to view their own 'whisper' posts even after being removed from groups with whisper permissions. T...

Discourse versions before 3.5.0.beta6 are vulnerable to cross-site scripting (XSS) when social logins are used without Content Security Policy (CSP) e...

This vulnerability allows HTML injection in Discourse email invitations when topic titles contain HTML. Attackers can inject malicious HTML into email...

This CVE describes a data leak vulnerability in Discourse where unauthenticated users could view private content on the homepage of login-required sit...

This vulnerability allows attackers to bypass the user limit for direct messages (DMs) in Discourse, potentially creating DMs that include every user ...

Discourse users who disabled direct messaging in their preferences could still be added to group direct messages in specific circumstances. This affec...

This vulnerability in Discourse allows authenticated users to send excessive URL requests to the inline onebox generation endpoint, causing denial of ...

This vulnerability allows attackers to poison the anonymous cache in Discourse by crafting requests with specific headers, potentially causing visitor...

This vulnerability allows attackers to poison the anonymous cache in Discourse through crafted XHR requests, potentially serving incomplete or manipul...

This CVE allows attackers to execute arbitrary JavaScript in users' browsers by posting malicious onebox URLs in Discourse forums. It affects Discours...

This vulnerability allows attackers to execute arbitrary JavaScript in users' browsers by posting malicious video placeholder HTML elements in Discour...

Discourse sites using Discourse Connect (SSO) with local logins still enabled are vulnerable to authentication bypass. Attackers can create accounts a...

This CVE describes a cross-site scripting (XSS) vulnerability in Discourse's lightbox thumbnail feature. When users click on lightbox thumbnails, mali...

This vulnerability allows attackers to download Discourse backup files through nginx misconfiguration when using local storage. Only Discourse instanc...

This vulnerability in Discourse allows authenticated users to create posts with many replies and then fetch them all at once, potentially causing deni...

The Discourse Calendar plugin contains a cross-site scripting (XSS) vulnerability where malicious event names can execute arbitrary JavaScript when re...

CVE-2024-21658 is a resource exhaustion vulnerability in the discourse-calendar plugin where overly generous region value length limits allow attacker...

This vulnerability in Discourse allows attackers to submit extremely long tag group names in requests, which can cause resource exhaustion and reduce ...

This vulnerability in Discourse allows attackers to manipulate the FastImage library to redirect requests to internal Discourse IP addresses, potentia...

This vulnerability allows a rogue staff user with administrative privileges in Discourse to suspend other staff users, preventing them from logging in...

This vulnerability in Discourse allows attackers to reduce availability through a denial-of-service attack by exploiting improper input validation in ...

Discourse's message serializer mishandles expanded chat mentions (@all and @here), creating excessively large user arrays that can cause denial of ser...

This vulnerability in the discourse-calendar plugin allows attackers to inject malicious scripts into event titles, leading to cross-site scripting (X...

CVE-2023-44388 is a denial-of-service vulnerability in Discourse where malicious requests can rapidly fill production log files, causing servers to ru...

Discourse chat messages can be read by unauthenticated attackers via a POST request to MessageBus, exposing private conversations. This affects all Di...

This vulnerability in the discourse-encrypt plugin allows cross-site scripting (XSS) attacks when encrypted topic titles are improperly escaped. It af...

Discourse had a vulnerability where private message titles and participant lists were exposed to unauthorized users when groups were included in messa...

This Cross-Site Scripting (XSS) vulnerability in Discourse allows attackers to inject malicious scripts into d-popover tooltips, potentially compromis...