Vulnerabilities in discourse
279 resultsCVE-2024-38360MEDIUMDenial of service via Watched Words in DiscourseEPSS 0.5%CVE-2024-24748MEDIUMDisclosure of the existence of secret subcategories in DiscourseEPSS 0.5%CVE-2023-23615MEDIUMMalicious users in Discourse can create spam topics as any user due to improper access controlEPSS 0.5%CVE-2022-46148HIGHDiscourse allows self-XSS through malicious composer messageEPSS 0.5%CVE-2023-25172MEDIUMDiscourse vulnerable to Cross-site Scripting - user name displayed on postEPSS 0.5%CVE-2023-37906MEDIUMDiscourse vulnerable to DoS via post edit reasonEPSS 0.4%CVE-2022-41944LOWDiscourse users can see notifications for topics they no longer have access toEPSS 0.4%CVE-2024-43789HIGHDenial of service by the absence of restrictions on replies to posts in DiscourseEPSS 0.4%CVE-2023-25169LOWYearly Review Plugin leaking anonymised users data in discourse-yearly-reviewEPSS 0.4%CVE-2025-53102HIGHDiscourse's WebAuthn challenge isn't cleared from user session after authenticationEPSS 0.4%CVE-2023-44384MEDIUMDiscourse-Jira could make SSRF attack by setting Jira URL to an arbitrary locationEPSS 0.4%CVE-2023-30611MEDIUMReaction metadata exposed in private topics in Discourse-reactionsEPSS 0.4%CVE-2023-32301LOWDiscourse's canonical url not being used for topic embeddingsEPSS 0.4%CVE-2024-53851MEDIUMPartial denial of service via inline oneboxes in DiscourseEPSS 0.4%CVE-2024-24817MEDIUMUser can see invitees in events created in PMs and private categoriesEPSS 0.4%CVE-2024-36113MEDIUMDiscourse missing authorization checks for suspending admins/moderatorsEPSS 0.4%CVE-2023-43659HIGHCross-site Scripting via email preview when CSP disabled in DiscourseEPSS 0.4%CVE-2026-33355MEDIUMDiscourse filters whisper posts from private-posts feedEPSS 0.4%CVE-2021-39161MEDIUMCross-site scripting via category name in DiscourseEPSS 0.4%CVE-2024-23654MEDIUMdiscourse-ai admin-initiated SSRF when interacting with AI servicesEPSS 0.4%