← back
CVE-2026-49256

Discourse: Hidden tag names leaked via category serializers

CVSS 6.3 MEDIUMCWE-200
Vexday Risk Score
10Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.3EPSS KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
discourse · discourse