In Discourse versions 3.3.2 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-53851 was detected. This vulnerability allows authenticated users to cause a denial of service by exploiting the endpoint for generating inline oneboxes for URLs. To address this issue, users should upgrade Discourse to version 3.3.3 and later on the `stable` branch or version 3.4.0.beta4 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53851.
Read more Communication
In Discourse versions prior to 3.3.3 on the `stable` branch and prior to 3.4.0.beta4 on the `tests-passed` branch a medium severity vulnerability CVE-2024-53266 was detected. This vulnerability allows attackers to execute arbitrary JavaScript via the user’s profile activity streams. To address this issue, users should upgrade Discourse to version 3.3.3 and later on the `stable` branch or version 3.4.0.beta4 and later on the `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53266.
Read more Communication
In Discourse versions 3.3.3 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-56328 was detected. This vulnerability allows attackers to post malicious links that can execute harmful code in users’ browsers if Content Security Policy protection is disabled on the site. To fix this issue, users should upgrade Discourse to versions 3.3.4 and later on the `stable` branch or version 3.4.0.beta4 and later on the `beta` and `tests-passed` branches. For more details, visit CVE-2024-56328.
Read more Communication
In Discourse versions 3.3.3 and prior on the `stable` branch and 3.4.0.beta4 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-56197 was detected. This vulnerability allows attackers to read the titles and metadata of private messages if the “PM tags allowed for groups” option is enabled and the attacker is a member of a group included in that list. To fix this issue, users should upgrade Discourse to version 3.3.4 and later on the `stable` branch or version 3.4.0.beta5 and later on the `beta` and `tests-passed` branches. For more details, visit CVE-2024-56197.
Read more Communication
In Discourse versions prior to 3.3.2 on the `stable` branch and prior to 3.4.0.beta3 on the `tests-passed` branch a high severity vulnerability CVE-2024-55948 was detected. This vulnerability allows attackers to craft XHR requests that poison the anonymous cache, potentially serving responses with missing preloaded data to anonymous visitors. To address this issue, users should upgrade Discourse to versions 3.3.2 and later on the `stable` branch or version 3.4.0.beta3 and later on the` tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55948.
Read more Communication
In Discourse versions 3.3.2 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-53994 was detected. This vulnerability allows users who disable chat in preferences to still be reachable in some cases. To address this issue, users should upgrade Discourse to version 3.3.3 and later on the `stable` branch or version 3.4.0.beta4 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53994.
Read more Communication
In Discourse versions prior to 3.3.2 on the `stable` branch and 3.4.0.beta3 on the `tests-passed` branch a high severity vulnerability CVE-2025-23023 was detected. This vulnerability allows attackers to poison the anonymous cache by crafting a request with specific headers, potentially leading to missing preloaded data in the cache. This issue affects only anonymous visitors to the site. To address this issue, users should upgrade to the latest version of Discourse. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-23023.
Read more Communication
In Discourse versions 3.3.3 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2025-22602 was detected. This vulnerability allows attackers to execute arbitrary JavaScript on users’ browsers by posting a malicious video placeholder HTML element. To address this issue, users should upgrade Discourse to version 3.3.4 on the `stable` branch or version 3.4.0.beta4 on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22602.
Read more Communication
In Zulip Server versions 7.0 and above a medium severity vulnerability CVE-2024-56136 was detected. This vulnerability allows unauthenticated attackers to determine if an email address is in use by a user on servers hosting multiple organizations. To address this issue, users should upgrade Zulip Server to version 9.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56136.
Read more Communication