NIXPKGS-2026-0428
GitHub issue
published on 27 Feb 2026
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
5 packages
- discourse-mail-receiver
- python312Packages.pydiscourse
- python313Packages.pydiscourse
- python314Packages.pydiscourse
- grafanaPlugins.grafana-discourse-datasource
- @LeSuisse accepted
- @LeSuisse published on GitHub
Discourse has SQL injection in PM tag filtering
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
References
- https://github.com/discourse/discourse/security/advisories/GHSA-m6qf-h49w-h38w x_refsource_CONFIRM
Affected products
discourse
- ==< 2025.12.2
- ==>= 2026.1.0-latest, < 2026.1.1
- ==>= 2026.2.0-latest, < 2026.2.0
Matching in nixpkgs
pkgs.discourse
Discourse is an open source discussion platform
Ignored packages (5)
pkgs.discourse-mail-receiver
Helper program which receives incoming mail for Discourse
pkgs.python312Packages.pydiscourse
Python library for working with Discourse
pkgs.python313Packages.pydiscourse
Python library for working with Discourse
pkgs.python314Packages.pydiscourse
Python library for working with Discourse
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>