Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: discourseAllPlugins

Found 4 matching suggestions

Permalink CVE-2025-66488
created 2 weeks ago
Discourse allows script execution in uploaded HTML/XML files on S3

Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1
  • ==>= 2025.11.0-latest, < 2025.11.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-69289
created 2 weeks ago
Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1
  • ==>= 2025.11.0-latest, < 2025.11.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-21865
created 2 weeks ago
Discourse topic conversion permission vulnerability for moderators

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1
  • ==>= 2025.11.0-latest, < 2025.11.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-23743
created 2 weeks ago
Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Affected products

discourse
  • ==< 3.5.4
  • ==>= 2026.1.0-latest, < 2026.1.0
  • ==>= 2025.12.0-latest, < 2025.12.1
  • ==>= 2025.11.0-latest, < 2025.11.2

Matching in nixpkgs

Package maintainers