In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a medium severity vulnerability CVE-2025-68666 was detected. This vulnerability allows users with moderation privileges to access user archives that should be restricted to administrators only, resulting in the exposure of private topic and post content and a breach of confidentiality. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68666.
Read more Communication
In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a high severity vulnerability CVE-2025-68662 was detected. This vulnerability allows attackers to bypass Server-Side Request Forgery (SSRF) protections under certain conditions due to improper hostname validation in the FinalDestination component. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68662.
Read more Communication
In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a medium severity vulnerability CVE-2025-68660 was detected. This vulnerability allows authenticated users to bypass ai_discover_persona access controls, gain unauthorized direct message access to AI personas connected to staff-only resources, and impersonate other users by supplying arbitrary user IDs, potentially leading to unauthorized data disclosure and abusive or misleading private message activity. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68660.
Read more Communication
In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a medium severity vulnerability CVE-2026-24742 was detected. This vulnerability allows non-administrator moderators to access sensitive administrator-only data via staff action logs, including webhook secrets, API keys, private messages, and restricted settings, potentially enabling confidential data leakage and webhook spoofing. To address this issue, users should upgrade Discourse versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24742.
Read more Communication
In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a medium severity vulnerability CVE-2026-23743 was detected. This vulnerability allows unauthorized users to infer sensitive information about access-restricted resources, such as private topic titles, categories, posts, or hidden tags, via permalink redirects that expose resource slugs in the redirect Location header and the 404 page search box. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23743.
Read more Communication
In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 a medium severity vulnerability CVE-2026-21865 was detected. This vulnerability allows moderators to improperly convert certain personal messages into public topics, bypassing intended permission restrictions. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21865.
Read more Communication
In the Snow Monkey Forms plugin for WordPress versions up to and including 12.0.3 a critical severity vulnerability CVE-2026-1056 was detected. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation in the generate_user_dirpath function. To address this issue, users should upgrade Snow Monkey Forms plugin to version 12.0.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1056.
Read more CMS
In the Simple Calendar for Elementor plugin for WordPress versions up to and including 1.6.6 a medium severity vulnerability CVE-2026-1310 was detected. This vulnerability allows unauthenticated attackers to delete arbitrary calendar entries due to missing capability checks on the miga_ajax_editor_cal_delete function, which is hooked to the miga_editor_cal_delete AJAX action with both authenticated and unauthenticated access enabled. To address this issue, users should upgrade Simple Calendar for Elementor plugin to version 1.6.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1310.
Read more CMS
In the Easy Replace Image plugin for WordPress versions up to and including 3.5.2 a medium severity vulnerability CVE-2026-1298 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to replace arbitrary image attachments on the site via the image_replacement_from_url function, which is hooked to the eri_from_url AJAX action, due to missing capability checks. To address this issue, users should upgrade Easy Replace Image plugin to version 3.5.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1298.
Read more CMS