Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: discourseAllPlugins

Found 63 matching suggestions

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-28298
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 days, 8 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 3 days, 13 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 3 days, 8 hours ago
SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

References

Affected products

2026.1.1
  • ==2026.1.1 and previous versions

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-28297
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 3 days, 13 hours ago
SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

References

Affected products

2026.1.1
  • ==2026.1.1 and previous versions

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2026-30889
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Discourse has Unauthorized Post Data Exposure in discourse-user-notes

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.

References

Affected products

discourse
  • === 2026.3.0-latest.1
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-5qm9-r98f-g4mq
Published
Permalink CVE-2026-33426
3.5 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Discourse users can edit or synonymize hidden tags they can't see

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-2289-4m46-2hxh
Published
Permalink CVE-2026-30888
2.2 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • ==< 2026.3.0-latest.1
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96
Published
Permalink CVE-2026-33427
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Discourse Authorization Page Displays Unvalidated Redirect Domain

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-9vhg-2mx3-mqfr
Published
Permalink CVE-2026-33251
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Discourse has a Hidden Solved topics permission bypass

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure only trusted users are part of the Site Setting for accept_all_solutions_allowed_groups.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-vm2x-9h8x-7jxm
Published
Permalink CVE-2026-31869
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user_reasons returns "private" for a given user. This bypasses group member-visibility controls. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. To work around this issue, restrict the messageable policy of any hidden-membership group to staff or group members only, so untrusted users cannot reach the vulnerable code path.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-5f9h-vp7v-7vq5
Published
Permalink CVE-2026-33424
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
PM access granted through invites after access revocation

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-hgcp-p7hq-cwxw
Published
Permalink CVE-2026-31805
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Discourse has a poll authorization bypass via post_id array parameter

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.

References

Affected products

discourse
  • === 2026.3.0-latest.1
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823