In Discourse versions 3.3.3 and prior on the `stable` branch and 3.4.0.beta4 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-56197 was detected. This vulnerability allows attackers to read the titles and metadata of private messages if the “PM tags allowed for groups” option is enabled and the attacker is a member of a group included in that list. To fix this issue, users should upgrade Discourse to version 3.3.4 and later on the `stable` branch or version 3.4.0.beta5 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-56197.
Read more Communication
In Discourse versions prior to 3.3.2 on the `stable` branch and prior to 3.4.0.beta3 on the `tests-passed` branch a high severity vulnerability CVE-2024-55948 was detected. This vulnerability allows attackers to craft XHR requests that poison the anonymous cache, potentially serving responses with missing preloaded data to anonymous visitors. To address this issue, users should upgrade Discourse to versions 3.3.2 and later on the `stable` branch or version 3.4.0.beta3 and later on the` tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55948.
Read more Communication
In Discourse versions 3.3.2 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-53994 was detected. This vulnerability allows users who disable chat in preferences to still be reachable in some cases. To address this issue, users should upgrade Discourse to version 3.3.3 and later on the `stable` branch or version 3.4.0.beta4 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53994.
Read more Communication
In Discourse versions prior to 3.3.2 on the `stable` branch and 3.4.0.beta3 on the `tests-passed` branch a high severity vulnerability CVE-2025-23023 was detected. This vulnerability allows attackers to poison the anonymous cache by crafting a request with specific headers, potentially leading to missing preloaded data in the cache. This issue affects only anonymous visitors to the site. To address this issue, users should upgrade to the latest version of Discourse. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-23023.
Read more Communication
In Discourse versions 3.3.3 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2025-22602 was detected. This vulnerability allows attackers to execute arbitrary JavaScript on users’ browsers by posting a malicious video placeholder HTML element. To address this issue, users should upgrade Discourse to version 3.3.4 on the `stable` branch or version 3.4.0.beta4 on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22602.
Read more Communication
In Zulip Server versions 7.0 and above a medium severity vulnerability CVE-2024-56136 was detected. This vulnerability allows unauthenticated attackers to determine if an email address is in use by a user on servers hosting multiple organizations. To address this issue, users should upgrade Zulip Server to version 9.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56136.
Read more Communication
In Mattermost Mobile versions 2.22.0 and prior a medium severity vulnerability CVE-2025-20072 was detected. This vulnerability allows attackers to crash the mobile app by supplying crafted malicious input to the style of proto in `post.props.attachments`. To address this issue, users should upgrade to version 2.23.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-20072.
Read more Communication
In Mattermost Mobile versions before 2.22.0 a medium severity vulnerability CVE-2025-20630 was detected. This vulnerability allows attackers to crash the Mattermost Mobile app by sending a post with attachments that contain fields unable to be converted to a String. To fix this issue, users should upgrade Mattermost Mobile to version 2.23.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2025-20630.
Read more Communication
In Mattermost versions 10.2.0 and earlier in 10.2.x, 9.11.5 and earlier in 9.11.x, 10.0.3 and earlier in 10.0.x, and 10.1.3 and earlier in 10.1.x a medium severity vulnerability CVE-2025-20621 was detected. This vulnerability allows attackers to crash the Mattermost web app by sending a post with attachments containing fields that cannot be converted to a String. To fix this issue, users should upgrade Mattermost to versions 10.2.1, 10.1.4, 10.0.4 and 9.11.6. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2025-20621.
Read more Communication