6.9
CVE-2026-5210 - SourceCodester Leave Application System file inclusion
A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a manipulation of the argument page results in file inclusion. Remote exploitation of the attack is possible. The exploit is now public and may be used.
4.8
CVE-2026-5209 - SourceCodester Leave Application System User Management cross site scripting
A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been discloโฆ
4.8
CVE-2025-62184 - Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerabiโฆ
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
5.1
CVE-2026-33415 - Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were notโฆ
5.3
CVE-2026-33300 - Discourse: Hidden group names and access metadata are exposed to moderators through the `category-cโฆ
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groโฆ
5.3
CVE-2026-33185 - Discourse: Group SMTP test endpoint susceptible to SSRF
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts andโฆ
6.3
CVE-2026-33074 - Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tโฆ
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tiโฆ
4.3
CVE-2026-32951 - Discourse: Authorization bypass in oneboxer via user-controlled category id
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a category_id parameter โฆ
5.3
CVE-2026-32620 - Discourse: Missing post-level authorization allows whisper metadata disclosure
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content wasโฆ
6.3
CVE-2026-32619 - Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private catโฆ
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic (e.g., removed from a private category group) could still interact with polls in that topicโฆ