Vulnerabilities in discourse

279 results

Vexday analysis

Com 278 CVEs catalogadas e nenhuma entrada confirmada no catálogo KEV da CISA, o Discourse apresenta taxa de exploração ativa abaixo da média geral do catálogo, o que sugere menor pressão de ameaças imediatas em comparação ao universo típico de produtos monitorados. Ainda assim, 31 vulnerabilidades surgiram nos últimos 90 dias, indicando ritmo relevante de descobertas recentes que exige acompanhamento contínuo. A falha mais prevalente é CWE-200 (exposição de informações sensíveis), padrão que tende a se manifestar em plataformas de comunicação e pode facilitar reconhecimento por parte de atacantes. A CVE mais perigosa ativa atualmente é CVE-2024-53991, com escore EPSS de 0,2543 — o mais alto observado no conjunto —, e entre as cinco vulnerabilidades críticas catalogadas quatro já contam com prova de conceito pública, o que eleva o risco de exploração para equipes que ainda não aplicaram as correções correspondentes.

CVE-2023-49099LOWDiscourse secure uploads accessible to guests even when login is requiredEPSS 0.3%CVE-2023-31142LOWDiscourse's general category permissions could be set back to defaultEPSS 0.3%CVE-2024-45297MEDIUMPrevent topic list filtering by hidden tags for unauthorized users in DiscourseEPSS 0.3%CVE-2023-37467MEDIUMDiscourse CSP nonce reuse vulnerability for anonymous usersEPSS 0.3%CVE-2025-48053HIGHDiscourse vulnerable to DoS via large URL payload in PM to a botEPSS 0.3%CVE-2023-43814LOWExposure of poll options and votes to unauthorized users in DiscourseEPSS 0.3%CVE-2023-29196MEDIUMHTML injection via topic embedding in DiscourseEPSS 0.3%CVE-2023-49098LOWReaction data for user notifications exposed in Discourse-reactionsEPSS 0.3%CVE-2026-27936MEDIUMDiscourse discloses restricted post-action counts to non-privileged usersEPSS 0.3%CVE-2026-32099MEDIUMDiscourse prevents hidden profile data leak via user oneboxEPSS 0.3%CVE-2025-68662HIGHFinalDestination hostname matching allows SSRF protection bypassEPSS 0.3%CVE-2025-49845MEDIUMDiscourse users are able to see their own whispers even after being removed from a group that has been configured to see whispersEPSS 0.3%CVE-2026-33394LOWDiscourse leaks PM post edits to moderatorsEPSS 0.3%CVE-2026-33422LOWDiscourse exposes ip_address of flagged userEPSS 0.3%CVE-2026-27021MEDIUMDiscourse: Poll voters endpoint lacked post visibility checksEPSS 0.3%CVE-2022-23546MEDIUMDiscourse vulnerable to private topic leak via email#send_digestEPSS 0.3%CVE-2026-30889MEDIUMDiscourse has Unauthorized Post Data Exposure in discourse-user-notesEPSS 0.3%CVE-2025-59337MEDIUMDiscourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite DeploymentsEPSS 0.3%CVE-2026-33408LOWDiscourse has Improper Authorization in "Post Edits" Report For ModeratorsEPSS 0.3%CVE-2024-52794MEDIUMMagnific lightbox susceptible to Cross-site Scripting in DiscourseEPSS 0.3%

← previouspage 9 / 14next →