Vulnerabilities in discourse

279 results

Vexday analysis

Com 278 CVEs catalogadas e nenhuma entrada confirmada no catálogo KEV da CISA, o Discourse apresenta taxa de exploração ativa abaixo da média geral do catálogo, o que sugere menor pressão de ameaças imediatas em comparação ao universo típico de produtos monitorados. Ainda assim, 31 vulnerabilidades surgiram nos últimos 90 dias, indicando ritmo relevante de descobertas recentes que exige acompanhamento contínuo. A falha mais prevalente é CWE-200 (exposição de informações sensíveis), padrão que tende a se manifestar em plataformas de comunicação e pode facilitar reconhecimento por parte de atacantes. A CVE mais perigosa ativa atualmente é CVE-2024-53991, com escore EPSS de 0,2543 — o mais alto observado no conjunto —, e entre as cinco vulnerabilidades críticas catalogadas quatro já contam com prova de conceito pública, o que eleva o risco de exploração para equipes que ainda não aplicaram as correções correspondentes.

CVE-2026-33428MEDIUMDiscourse Allows Unauthorized Access to Deleted Posts Index via Group MembershipEPSS 0.3%CVE-2025-61598MEDIUMDiscourse is missing Cache-Control response header on error responsesEPSS 0.3%CVE-2026-27935MEDIUMDiscourse leaks private topic metadata to non-authorized usersEPSS 0.3%CVE-2023-45147MEDIUMArbitrary keys can be added to a topic's custom fields by any user in DiscourseEPSS 0.3%CVE-2025-46824LOWDiscourse Code Review Plugin vulnerable to XSS via auto link commitsEPSS 0.3%CVE-2024-53994MEDIUMPotential bypass of chat permissions in DiscourseEPSS 0.3%CVE-2023-45816LOWUnread bookmark reminder notifications that the user cannot access can be seenEPSS 0.3%CVE-2026-44786HIGHDiscourse: Public chat MessageBus broadcasts are not restricted to chat-eligible usersEPSS 0.3%CVE-2024-53266MEDIUMCross-site Scripting (XSS) via topic titles when CSP disabled in DiscourseEPSS 0.3%CVE-2026-24742MEDIUMDiscourse staff action logs expose sensitive information to moderatorsEPSS 0.3%CVE-2026-27934HIGHDiscourse leaks private topic title and post excerpt via user action API endpointEPSS 0.3%CVE-2026-33393MEDIUMDiscourse fixes loose hostname matching in spam host allowlistEPSS 0.3%CVE-2026-33514MEDIUMDiscourse: Information Disclosure in Form Template API Due to Missing AuthorizationEPSS 0.3%CVE-2024-52589LOWModerators can view Screened emails even when the “moderators view emails” option is disabled in DiscourseEPSS 0.2%CVE-2026-23743MEDIUMDiscourse allows permalinks to restricted resources to leak resource slugs to unauthorized usersEPSS 0.2%CVE-2024-45303MEDIUMDiscourse Calendar plugin event names susceptible to XSSEPSS 0.2%CVE-2025-64528MEDIUMUsers are able to find users by name even when `enable_names` is offEPSS 0.2%CVE-2024-43408MEDIUMDiscourse Placeholder Forms has a XSS stopped by CSPEPSS 0.2%CVE-2023-37904LOWDiscourse Race Condition in Accept InviteEPSS 0.2%CVE-2026-26077MEDIUMDiscourse doesn't ensure webhooks require a tokenEPSS 0.2%

← previouspage 10 / 14next →