CVE-2025-69218

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0

Description Discourse is an open source discussion platform. Moderators can access the top uploads admin report, which should be restricted to administrators only. This report displays direct URLs to all uploaded files on the site, potentially including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. The top uploads report provides access to sensitive data.

Recommendations Update Discourse to version 3.5.4 or later. Update Discourse to version 2025.11.2 or later. Update Discourse to version 2025.12.1 or later. Update Discourse to version 2026.1.0 or later. Limit moderator privileges to trusted users until the patch is applied.