Pmusaraj

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 **Description** Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators could view the initial 40 characters of post edits within private messages and private categories. **Recommendations** Update Discourse to version 2026.3.0-latest.1 or later. Update Discourse to version 2026.2.1 or later. Update Discourse to version 2026.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 **Description** Discourse is an open-source discussion platform. The Post Edits admin report, accessible via the ''/admin/reports/post edits'' API endpoint, improperly exposed the initial 40 characters of raw post content from private messages and secure categories to moderators lacking the necessary permissions. This information leak affected content that should have remained confidential. **Recommendations** Update to Discourse version 2026.3.0-latest.1 or later. Update to Discourse version 2026.2.1 or later. Update to Discourse version 2026.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Discourse versions 3.5.0.beta4 before commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b **Description** A data leak issue affects Discourse, an open-source community platform, allowing some content on the site's homepage to be visible to unauthenticated users on login-required sites. The issue affects sites deployed between April 30, 2025, noon EDT, and May 2, 2025, noon EDT. Private content on an instance's homepage could be visible to unauthenticated users. Sites on the stable branch are unaffected. **Recommendations** For Discourse versions 3.5.0.beta4 before commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b, upgrade to a non-vulnerable version of Discourse to resolve the issue. No workarounds are available, and sites must be upgraded to a secure version to prevent the data leak.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to the latest version **Description** Discourse is an open source platform for community discussion. Users clicking on the lightbox thumbnails could be affected. The issue is resolved in the latest version of Discourse. **Recommendations** Upgrade to the latest version of Discourse to resolve the issue. As a temporary workaround, consider avoiding the use of lightbox thumbnails until the update is applied.

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to the latest version Description: The issue affects sites using Discourse Connect with local logins enabled, potentially allowing attackers to bypass Discourse Connect and create accounts or log in. This problem has been patched in the latest version of Discourse. Recommendations: For versions prior to the latest version, as a temporary workaround, consider disabling all other login methods except Discourse Connect to minimize the risk of exploitation. Update to the latest version of Discourse to fully resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Discourse Calendar plugin versions prior to 0.5 **Description** The Discourse Calendar plugin is susceptible to XSS attacks when rendering event names. This issue only affects sites that have modified or disabled Discourse's default Content Security Policy. **Recommendations** For versions prior to 0.5, update to version 0.5 of the Discourse Calendar plugin to resolve the issue. As a temporary workaround, consider restricting the rendering of event names or re-enabling Discourse's default Content Security Policy until the patch can be applied.

**Name of the Vulnerable Software and Affected Versions** discourse-calendar (affected versions not specified) **Description** The discourse-calendar plugin has a limit on region value length that is too generous, allowing a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in the main branch. **Recommendations** Please upgrade the discourse-calendar plugin as soon as possible, as there are no workarounds for this issue.

**Name of the Vulnerable Software and Affected Versions** discourse-group-membership-ip-block (affected versions not specified) **Description** The discourse-group-membership-ip-block plugin sends all group custom fields to the client, including fields from other plugins that may be expected to remain secret. This issue affects the plugin's functionality of adding users to groups based on their IP address. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** discourse-calendar (affected versions not specified) **Description** The discourse-calendar plugin for the Discourse messaging platform is affected by an issue where improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. This is a non-default configuration, so the vast majority of sites are unaffected. **Recommendations** To resolve the issue, users are advised to upgrade to the latest version of the discourse-calendar plugin. If an upgrade is not possible, users should ensure CSP is enabled on the forum as a temporary workaround.

**Name of the Vulnerable Software and Affected Versions** Discourse-jira (affected versions not specified) **Description** The issue is related to the implementation of the Discourse-jira plugin, which allows for the synchronization of Jira projects, issue types, fields, and field options. An administrator user can perform a Server-Side Request Forgery (SSRF) attack by setting the Jira URL to an arbitrary location and enabling the `discourse jira verbose log` site setting. A moderator user could manipulate the request path to the Jira API, allowing them to perform arbitrary GET requests using the Jira API credentials, potentially with elevated permissions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to the latest stable, beta and tests-passed versions **Description** The issue allows exploitation of embeddable comments to create new topics as any user without a clear title or content. **Recommendations** For versions prior to the latest stable, beta and tests-passed versions, update to the latest version to resolve the issue. As a temporary workaround, consider disabling embeddable comments by deleting all embeddable hosts.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 3.0.1 on the stable branch Discourse versions prior to 3.1.0.beta2 on the beta and tests-passed branches **Description** The issue affects Discourse, an open-source discussion platform, where someone can use the `exclude tag` param to filter out topics and deduce which ones were using a specific hidden tag. This affects any Discourse site using hidden tags in public categories. **Recommendations** For versions prior to 3.0.1 on the stable branch, update to version 3.0.1 or later. For versions prior to 3.1.0.beta2 on the beta and tests-passed branches, update to version 3.1.0.beta2 or later. As a temporary workaround, consider securing any categories that are using hidden tags, changing any existing hidden tags to not include private data, or removing any hidden tags currently in use.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 3.0.1 on the stable branch Discourse versions prior to 3.1.0.beta2 on the beta and tests-passed branches **Description** Discourse is an open-source discussion platform. The contents of latest/top routes for restricted tags can be accessed by unauthorized users. This issue is patched in version 3.0.1 on the stable branch and 3.1.0.beta2 on the beta and tests-passed branches. **Recommendations** For Discourse versions prior to 3.0.1 on the stable branch, update to version 3.0.1 or later. For Discourse versions prior to 3.1.0.beta2 on the beta and tests-passed branches, update to version 3.1.0.beta2 or later.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 3.1.0.beta1 **Description** Discourse is an open source platform for community discussion. The issue concerns the allocation of resources without limits, allowing users to create chat drafts of an unlimited length. This can cause a denial of service by generating an excessive load on the server. Additionally, an unlimited number of drafts were loaded when loading the user. **Recommendations** For versions prior to 3.1.0.beta1, upgrade to the latest version where a limit has been introduced to prevent the allocation of resources without limits. At the moment, there is no information about other workarounds for this issue.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 3.0.1 Discourse version 3.1.0.beta2 and earlier **Description** Discourse is an open source platform for community discussion. The issue is related to Allocation of Resources Without Limits or Throttling, where a malicious user can create an arbitrarily large draft, forcing the instance to a crawl, as there is no limit on data contained in a draft. **Recommendations** For versions prior to 3.0.1, update to version 3.0.1 or later. For version 3.1.0.beta2 and earlier, update to version 3.1.0.beta2 or later. As a temporary workaround, consider restricting the ability to create large drafts until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Discourse-Chat versions prior to 0.9 **Description** The issue affects users of Discourse Chat, an asynchronous messaging plugin for the Discourse open-source discussion platform. Admin users can insert HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. **Recommendations** For versions prior to 0.9, update to version 0.9 to resolve the issue. As a temporary workaround, consider restricting admin users' ability to insert HTML into chat titles and descriptions until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Discourse Assign versions prior to 1.0.1 **Description** The UserBookmarkSerializer in Discourse Assign serialized the whole User / Group object, which leaked some private information. This data was only accessible to people who could view assignment info, limited to staff by default, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. **Recommendations** For versions prior to 1.0.1, update to version 1.0.1 to resolve the issue. As a temporary workaround, consider restricting access to assignment info to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to the latest stable, beta and tests-passed versions **Description** The issue affects Discourse, an open source platform for community discussion. An attacker can poison the cache for anonymous users, causing them to see the crawler view of the site instead of the HTML page, leading to a partial denial-of-service. **Recommendations** Update to the latest stable, beta, or tests-passed version of Discourse to resolve the issue. As a temporary workaround, consider restricting access to anonymous users or implementing additional caching controls until a patch is applied.