Vulnerabilities in discourse

279 results

Vexday analysis

Com 278 CVEs catalogadas e nenhuma entrada confirmada no catálogo KEV da CISA, o Discourse apresenta taxa de exploração ativa abaixo da média geral do catálogo, o que sugere menor pressão de ameaças imediatas em comparação ao universo típico de produtos monitorados. Ainda assim, 31 vulnerabilidades surgiram nos últimos 90 dias, indicando ritmo relevante de descobertas recentes que exige acompanhamento contínuo. A falha mais prevalente é CWE-200 (exposição de informações sensíveis), padrão que tende a se manifestar em plataformas de comunicação e pode facilitar reconhecimento por parte de atacantes. A CVE mais perigosa ativa atualmente é CVE-2024-53991, com escore EPSS de 0,2543 — o mais alto observado no conjunto —, e entre as cinco vulnerabilidades críticas catalogadas quatro já contam com prova de conceito pública, o que eleva o risco de exploração para equipes que ainda não aplicaram as correções correspondentes.

CVE-2026-33423LOWDiscourse staff can modify any user's group notification levelEPSS 0.2%CVE-2026-28219LOWPrivilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global BannersEPSS 0.2%CVE-2025-24808MEDIUMDiscourse has race condition when adding users to a group DMEPSS 0.2%CVE-2026-33291MEDIUMDiscourse user can create Zendesk tickets even when it does not have access to topicEPSS 0.2%CVE-2025-67723MEDIUMDiscourse vulnerable to stored Cross-site Scripting via Katex in discourse-math pluginEPSS 0.2%CVE-2026-32113MEDIUMDiscourse: Open redirect via `sso_destination_url` cookie in `enter`EPSS 0.2%CVE-2026-44785MEDIUMDiscourse: Hidden reply-to post raw can be disclosed through AI explain promptsEPSS 0.2%CVE-2026-44782MEDIUMDiscourse: GroupPostSerializer leaks hidden full names through reaction post associationEPSS 0.2%CVE-2025-58054LOWDiscourse is vulnerable to XSS when quoting chat messagesEPSS 0.2%CVE-2026-44780MEDIUMDiscourse: Category queue reviewers can read raw incoming emails from queued postsEPSS 0.2%CVE-2026-33415MEDIUMDiscourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content ExposureEPSS 0.2%CVE-2025-54411LOWDiscourse welcome banner user name XSSEPSS 0.2%CVE-2026-27166MEDIUMDiscourse vulnerable to HTML injection via prohibited iframe URLsEPSS 0.2%CVE-2026-33185MEDIUMDiscourse: Group SMTP test endpoint susceptible to SSRFEPSS 0.2%CVE-2026-31869MEDIUMDiscourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` checkEPSS 0.2%CVE-2026-33073LOWdiscourse-subscriptions plugin leaking stripe API key in multisite environmentEPSS 0.2%CVE-2025-66488MEDIUMDiscourse allows script execution in uploaded HTML/XML files on S3EPSS 0.2%CVE-2026-33074MEDIUMDiscourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptionsEPSS 0.2%CVE-2025-68479HIGHDiscourse subscriptions are susceptible to takeoverEPSS 0.2%CVE-2026-32243MEDIUMDiscourse: Stored XSS in discourse-ai shared conversations oneboxEPSS 0.2%

← previouspage 13 / 14next →