Vulnerabilities in discourse

279 results

Vexday analysis

Com 278 CVEs catalogadas e nenhuma entrada confirmada no catálogo KEV da CISA, o Discourse apresenta taxa de exploração ativa abaixo da média geral do catálogo, o que sugere menor pressão de ameaças imediatas em comparação ao universo típico de produtos monitorados. Ainda assim, 31 vulnerabilidades surgiram nos últimos 90 dias, indicando ritmo relevante de descobertas recentes que exige acompanhamento contínuo. A falha mais prevalente é CWE-200 (exposição de informações sensíveis), padrão que tende a se manifestar em plataformas de comunicação e pode facilitar reconhecimento por parte de atacantes. A CVE mais perigosa ativa atualmente é CVE-2024-53991, com escore EPSS de 0,2543 — o mais alto observado no conjunto —, e entre as cinco vulnerabilidades críticas catalogadas quatro já contam com prova de conceito pública, o que eleva o risco de exploração para equipes que ainda não aplicaram as correções correspondentes.

CVE-2025-47288LOWDiscourse Policy plugin private group members visibleEPSS 0.2%CVE-2026-33424MEDIUMPM access granted through invites after access revocationEPSS 0.2%CVE-2026-47264MEDIUMDiscourse: Don't leak restricted tag group names via tag infoEPSS 0.2%CVE-2025-68660MEDIUMDiscourse AI Discover's continue conversation allows threat actor to impersonate userEPSS 0.2%CVE-2025-32376MEDIUMDiscourse DM limits aren’t always properly enforcedEPSS 0.2%CVE-2026-31805MEDIUMDiscourse has a poll authorization bypass via post_id array parameterEPSS 0.2%CVE-2026-34154LOWDiscourse has a subscription access bypass in its discourse-subscriptions pluginEPSS 0.2%CVE-2026-30888LOWDiscourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpointEPSS 0.2%CVE-2026-34947LOWDiscourse: Staged user custom fields are exposed on public invite pagesEPSS 0.2%CVE-2026-47263MEDIUMDiscourse: Prevent webhook payload disclosure on event redeliveryEPSS 0.2%CVE-2026-32114MEDIUMDiscourse's unscoped status lookups leak restricted metadataEPSS 0.2%CVE-2026-33411MEDIUMDiscourse's solved topic stream has potential stored XSS in topic titleEPSS 0.2%CVE-2026-33427LOWDiscourse Authorization Page Displays Unvalidated Redirect DomainEPSS 0.2%CVE-2026-33425MEDIUMDiscourse has inferable private group membership or existence via exclude_groups parameterEPSS 0.2%CVE-2026-45085MEDIUMDiscourse: Chat misauthorization and information disclosureEPSS 0.2%CVE-2025-69218HIGHDiscourse moderators can access admin-only reports exposing private upload URLsEPSS 0.2%CVE-2026-32620MEDIUMDiscourse: Missing post-level authorization allows whisper metadata disclosureEPSS 0.2%CVE-2026-32951MEDIUMDiscourse: Authorization bypass in oneboxer via user-controlled category idEPSS 0.2%CVE-2026-32618MEDIUMDiscourse: Unauthorized channel membership inference via excluded_memberships_channel_idEPSS 0.2%CVE-2025-48062HIGHDiscourse vulnerable to HTML injection when inviting to topic via emailEPSS 0.2%

← previouspage 12 / 14next →