Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: discourseAllPlugins

Found 83 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-32244
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 5 days, 5 hours ago Activity log
  • Created suggestion 5 days, 5 hours ago
Discourse: Cached outdated summaries can leak removed content

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. To work around this issue, restrict summary generation by tightening the allowed groups on the summarization Personas.

Affected products

discourse
  • ==>= 2026.3.0-latest, < 2026.3.1
  • ==< 2026.1.4
  • ==>= 2026.4.0-latest, < 2026.4.1
  • ==>= 2026.5.0-latest, < 2026.5.0-latest.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-34154
2.1 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 5 days, 5 hours ago Activity log
  • Created suggestion 5 days, 5 hours ago
Discourse has a subscription access bypass in its discourse-subscriptions plugin

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

Affected products

discourse
  • ==>= 2026.3.0-latest, < 2026.3.1
  • ==< 2026.1.4
  • ==>= 2026.4.0-latest, < 2026.4.1
  • ==>= 2026.5.0-latest, < 2026.5.0-latest.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-33514
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 5 days, 5 hours ago Activity log
  • Created suggestion 5 days, 5 hours ago
Discourse: Information Disclosure in Form Template API Due to Missing Authorization

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

Affected products

discourse
  • ==>= 2026.4.0-latest, < 2026.4.1
  • ==< 2026.1.4
  • ==>= 2026.5.0-latest , < 2026.5.0-latest.1
  • ==>= 2026.3.0-latest, < 2026.3.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-27481
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
Discourse: Hidden tag visibility bypass on tag routes

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden (staff-only) tags and its associated data. All Discourse instances with tagging enabled and staff-only tag groups configured are impacted. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2
  • ==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-34947
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
Discourse: Staged user custom fields are exposed on public invite pages

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2
  • ==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2026-33300
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 month, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 1 month, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2
  • ==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v
Published
Permalink CVE-2026-33185
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 month, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 1 month, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
Discourse: Group SMTP test endpoint susceptible to SSRF

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2
  • ==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3
Published
Permalink CVE-2026-32243
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 month, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 1 month, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
Discourse: Stored XSS in discourse-ai shared conversations onebox

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted conversation titles. This payload would execute in the browser of any user viewing the onebox preview, potentially allowing session hijacking or unauthorized actions on behalf of the victim. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2
  • ==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-pjc5-8x3w-rfwx
Published
Permalink CVE-2026-32273
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 month, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 1 month, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
Discourse: XSS on category description update via API

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2
  • ==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-h2h4-767x-6pc8
Published
Permalink CVE-2026-32620
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    6 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • discourseAllPlugins
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 month, 3 weeks ago
  • @LeSuisse restored package discourseAllPlugins 1 month, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 1 month, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
Discourse: Missing post-level authorization allows whisper metadata disclosure

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content was exposed, only metadata about who read the post and when. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2
  • ==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65