← back
CVE-2026-45788

Discourse: Secure uploads exposed by hotlinked image copying

CVSS 6.3 MEDIUMCWE-200
Vexday Risk Score
10Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.3EPSS KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload URL and the secure_uploads site setting was enabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
discourse · discourse