Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: discourse

Found 108 matching suggestions

View:
Compact
Detailed
Published
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
DIscourse has DM communication-preference bypass when adding members

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipient PM restrictions that are enforced during DM channel creation. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Affected products

discourse
  • ==< 2025.12.2
  • ==>= 2026.1.0-latest, < 2026.1.1
  • ==>= 2026.2.0-latest, < 2026.2.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-f8ff-pxg3-7967
Published
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse has SQL injection in PM tag filtering

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Affected products

discourse
  • ==< 2025.12.2
  • ==>= 2026.1.0-latest, < 2026.1.1
  • ==>= 2026.2.0-latest, < 2026.2.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-m6qf-h49w-h38w
Published
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse doesn't ensure guardian check when creating QueryGroupBookmark

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access to, enabling metadata disclosure via bookmark reminder notifications. Versions 2025.12.2, 2026.1.1, and 2026.2.0 fix this issue and also make sure `validate_before_create` throws NotImplementedError in BaseBookmarkable if not implemented, to prevent similar issues in the future. No known workarounds are available.

Affected products

discourse
  • ==< 2025.12.2
  • ==>= 2026.1.0-latest, < 2026.1.1
  • ==>= 2026.2.0-latest, < 2026.2.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-rw95-54qr-qrw8
Published
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse doesn't validate destination topic when moving posts

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges (e.g., read-only categories or categories with group-restricted write access). Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Affected products

discourse
  • ==< 2025.12.2
  • ==>= 2026.1.0-latest, < 2026.1.1
  • ==>= 2026.2.0-latest, < 2026.2.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-m69h-9m2g-cfgw
Untriaged
Permalink CVE-2025-67723
4.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 5 months ago by @jopejoe1 Activity log
  • Created suggestion
  • @jopejoe1 ignored
    4 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2025.11.0-latest, < 2025.11.2
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Untriaged
Permalink CVE-2025-68933
6.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 5 months, 1 week ago Activity log
  • Created suggestion
Discourse non-admin moderators can exfiltrate private content via post ownership transfer

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2025.11.0-latest, < 2025.11.2
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-24742
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 5 months, 1 week ago Activity log
  • Created suggestion
Discourse staff action logs expose sensitive information to moderators

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2025.11.0-latest, < 2025.11.2
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1

Matching in nixpkgs

Package maintainers

Untriaged
created 5 months, 1 week ago Activity log
  • Created suggestion
Discourse users archives leaked to users with moderation privileges

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched.

Affected products

discourse
  • ==>= 2025.12.0-latest, 2025.12.1
  • ==< 3.5.4
  • ==>= 2025.11.0-latest, < 2025.11.2
  • ==>= 2026.1.0-latest, < 2026.1.0

Matching in nixpkgs

Package maintainers

Untriaged
created 5 months, 1 week ago Activity log
  • Created suggestion
Discourse moderators can access admin-only reports exposing private upload URLs

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2025.11.0-latest, < 2025.11.2
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1

Matching in nixpkgs

Package maintainers

Untriaged
created 5 months, 1 week ago Activity log
  • Created suggestion
Discourse AI Discover's continue conversation allows threat actor to impersonate user

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2025.11.0-latest, < 2025.11.2
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1

Matching in nixpkgs

Package maintainers