CVE-2026-33393

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the allowed spam host domains check used String#end with? without domain boundary validation, allowing domains like attacker-example.com to bypass spam protection when example.com was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by .) to prevent suffix-based bypass of newuser spam host threshold. No known workarounds are available.