← back
CVE-2025-59337

Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments

CVSS 5.5 MEDIUMEPSS 0.3%CWE-77
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
01 Oct 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixed in version 3.5.1.
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H
Affected products
discourse · discourse

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/discourse/discourse/commit/43536b60d012cc8084e7e701d6afab9ba01e28a5https://github.com/discourse/discourse/security/advisories/GHSA-7xjr-4f4g-9887