In Discourse versions 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a low severity vulnerability CVE-2025-22601 was detected. This vulnerability allows attackers to trick users into changing their own username via a crafted link using the `activate-account` route. To address this issue, users should upgrade Discourse to version 3.4.0.beta4 on the `beta` and `tests-passed` branches or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22601.
Read more Communication