Xmrcat

**Name of the Vulnerable Software and Affected Versions** Discord versions through 2026-01-16 **Description** The software allows gathering information about whether a user’s client state is Invisible (and not actually offline). The response to a WebSocket API request includes the user in the presences array with a status of "offline," while truly offline users are omitted from this array. This behavior is inconsistent with the user interface description of Invisible, which states that users will appear offline. The issue involves the handling of user presence information via the WebSocket API. Specifically, the `/presences` API endpoint reveals the status of users who have set their status to Invisible. The `status` variable within the API response indicates whether a user is online, offline, idle, or do not disturb. **Recommendations** Versions through 2026-01-16 should be updated when a fix becomes available.