In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a low severity vulnerability CVE-2026-33394 was detected. This vulnerability allows moderators to view the first 40 characters of raw post content from private messages and secure categories via the Post Edits admin report, bypassing intended access restrictions. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33394.
In aaPanel version 7.57.0 a high severity vulnerability CVE-2026-29856 was detected. This vulnerability allows attackers to cause a Regular Expression Denial of Service (ReDoS) via crafted input due to improper handling in the VirtualHost configuration parser component. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29856.
In aaPanel version 7.57.0 a critical severity vulnerability CVE-2026-29859 was detected. This vulnerability allows attackers to execute arbitrary code by uploading a crafted file through an arbitrary file upload flaw. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29859
In aaPanel version 7.57.0 a high severity vulnerability CVE-2026-29858 was detected. This vulnerability allows attackers to execute a local file inclusion (LFI) attack due to lack of path validation, potentially leading to sensitive information exposure. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29858.
In Vaultwarden versions prior to 1.35.4 a medium severity vulnerability CVE-2026-27898 was detected. This vulnerability allows authenticated users to access sensitive data from another user’s cipher by exploiting the “PUT /api/ciphers/{id}/partial” endpoint, which improperly returns cipher details despite access restrictions. To address this issue, users should upgrade Vaultwarden to version 1.35.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27898.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a high severity vulnerability CVE-2026-29072 was detected. This vulnerability allows users who are not in allowed policy creation groups to create functional policy acceptance widgets in posts under certain conditions, bypassing intended restrictions. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29072.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a low severity vulnerability CVE-2026-30888 was detected. This vulnerability allows moderators to escalate their privileges and edit site policy documents (such as ToS, guidelines, and privacy policy) that they are explicitly prohibited from modifying via the suspend/silence endpoint. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-30888.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-30889 was detected. This vulnerability allows moderators to access metadata of posts they should not have permission to view due to insufficient authorization checks in the discourse-user-notes component. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-30889.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-30891 was detected. This vulnerability allows users to access private activity data of other users due to insufficient authorization checks in the user actions endpoint. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-30891.