Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: discourse

Found 108 matching suggestions

View:
Compact
Detailed
Published
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse: Category group moderators can perform actions on topics in restricted categories without read access

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did not have read access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

https://github.com/discourse/discourse/security/advisories/GHSA-pr9m-5hpq-wc57
Published
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse: Open redirect via `sso_destination_url` cookie in `enter`

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true without validating the destination URL. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies are client-controlled and can be set by attackers. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

https://github.com/discourse/discourse/security/advisories/GHSA-378j-ccw4-4fwh
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-28298
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse dismissed (not in Nixpkgs)
SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

Affected products

2026.1.1
  • ==2026.1.1 and previous versions

Matching in nixpkgs

pkgs.discourse

Open source discussion platform

  • nixos-unstable -

Package maintainers

Untriaged
Permalink CVE-2026-28297
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 3 months, 1 week ago Activity log
  • Created suggestion
SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

Affected products

2026.1.1
  • ==2026.1.1 and previous versions

Matching in nixpkgs

pkgs.discourse

Open source discussion platform

  • nixos-unstable -

Package maintainers

Published
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse has Unauthorized Post Data Exposure in discourse-user-notes

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.

Affected products

discourse
  • === 2026.3.0-latest.1
  • ==>= 2026.1.0-latest, < 2026.1.2
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-5qm9-r98f-g4mq
Published
Permalink CVE-2026-33426
3.5 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse users can edit or synonymize hidden tags they can't see

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-2289-4m46-2hxh
Published
Permalink CVE-2026-30888
2.2 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected products

discourse
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==< 2026.3.0-latest.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96
Published
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse Authorization Page Displays Unvalidated Redirect Domain

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-9vhg-2mx3-mqfr
Published
Permalink CVE-2026-33251
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse has a Hidden Solved topics permission bypass

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure only trusted users are part of the Site Setting for accept_all_solutions_allowed_groups.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-vm2x-9h8x-7jxm
Published
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user_reasons returns "private" for a given user. This bypasses group member-visibility controls. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. To work around this issue, restrict the messageable policy of any hidden-membership group to staff or group members only, so untrusted users cannot reach the vulnerable code path.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-5f9h-vp7v-7vq5