4.3
CVE-2024-53851 - Partial denial of service via inline oneboxes in Discourse
Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerabilitβ¦
4.3
CVE-2024-53994 - Potential bypass of chat permissions in Discourse
Discourse is an open source platform for community discussion. In affected versions users who disable chat in preferences could still be reachable in some cases. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable thβ¦
8.2
CVE-2024-55948 - Anonymous cache poisoning via XHR requests in Discourse
Discourse is an open source platform for community discussion. In affected versions an attacker can make craft an XHR request to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problemβ¦
2.2
CVE-2024-56197 - Users can see other user's tagged PMs in Discourse
Discourse is an open source platform for community discussion. PM titles and metadata can be read by other users when the "PM tags allowed for groups" option is enabled, the other user is a member of a group added to this option, and the PM has been tagged. This issue has been patched in the latestβ¦
6.5
CVE-2024-56328 - HTMLi(XSS without CSP) via Onebox urls in Discourse
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are adβ¦
3.1
CVE-2025-22601 - Client Side Path Traversal using activate account route in Discourse
Discourse is an open source platform for community discussion. In affected versions an attacker can trick a target user to make changes to their own username via carefully crafted link using the `activate-account` route. This problem has been patched in the latest version of Discourse. Users are adβ¦
6.5
CVE-2025-22602 - Stored DOM-based XSS (without CSP) via video placeholders in Discourse
Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest verβ¦
8.2
CVE-2025-23023 - Anonymous cache poisoning via request headers in Discourse
Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visβ¦
5
CVE-2024-45657 - IBM Security Verify Access incorrect privilege assignment
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.
6.5
CVE-2024-35138 - IBM Security Verify Access cross-site request forgery
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.