In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a medium severity vulnerability CVE-2026-27149 was detected. This vulnerability allows attackers to bypass tag filter conditions in PM tag filtering (list_private_messages_tag), potentially disclosing unauthorized private message metadata. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1 or 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27149.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a medium severity vulnerability CVE-2026-27021 was detected. This vulnerability allows attackers to access voter details of polls in any post due to missing post visibility checks in the voters endpoint of the poll plugin. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1 or 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27021.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-26979 was detected. This vulnerability allows TL4 users to close, archive, and pin topics in private categories they do not have access to. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1 or 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26979.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-27152 was detected. This vulnerability allows users to bypass DM communication preferences when adding members via Chat::AddUsersToChannel, enabling them to add targets who have blocked, ignored or muted them to an existing DM channel. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27152.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-27151 was detected. This vulnerability allows TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges because the move_posts action only checked can_move_posts? on the source topic and did not validate write permissions on the destination topic. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1 or 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27151.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-27154 was detected. This vulnerability allows attackers to execute XSS by having a user full name evaluated as raw HTML when display_name_on_posts is set to true and prioritize_username_in_ux is set to false. Editing a post of a malicious user would trigger the XSS. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27154.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-27153 was detected. This vulnerability allows moderators to export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in can_export_entity?, allowing export of any entity not explicitly blocked. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27153.
Read more Communication
In Discourse versions prior to 2025.12.2, 2026.1.1 and 2026.2.0 a low severity vulnerability CVE-2026-27152 was detected. This vulnerability allows users to bypass DM communication preferences when adding members via Chat::AddUsersToChannel, enabling them to add targets who have blocked, ignored, or muted them to an existing DM channel. To address this issue users must upgrade to Discourse versions 2025.12.2, 2026.1.1, 2026.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27152.
Read more Communication
In changedetection.io versions prior to 0.54.1 a medium severity vulnerability CVE-2026-27645 was detected. This vulnerability allows an attacker to perform Reflected Cross-Site Scripting (XSS) via the RSS single-watch endpoint, where the UUID path parameter is reflected in the HTTP response without HTML escaping, leading to execution of arbitrary JavaScript in the user’s browser. To address this issue, users should upgrade changedetection.io to version 0.54.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27645.
Read more Monitoring