Nixpkgs security tracker

Untriaged

Permalink CVE-2026-34154

2.1 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): Active (A)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Active (A)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 week, 5 days ago Activity log

Created suggestion 1 week, 5 days ago

Discourse has a subscription access bypass in its discourse-subscriptions plugin

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

References

https://github.com/discourse/discourse/security/advisories/GHSA-pjgj-7mjq-6j7g x_refsource_CONFIRM

Affected products

discourse

==< 2026.1.4
==>= 2026.5.0-latest, < 2026.5.0-latest.1
==>= 2026.4.0-latest, < 2026.4.1
==>= 2026.3.0-latest, < 2026.3.1

Matching in nixpkgs

pkgs.discourse

Open source discussion platform

nixos-unstable 2026.1.3
- nixpkgs-unstable 2026.1.3
- nixos-unstable-small 2026.1.3
nixos-25.11 2026.1.3
- nixos-25.11-small 2026.1.3
- nixpkgs-25.11-darwin 2026.1.3

pkgs.discourseAllPlugins

Open source discussion platform

nixos-unstable 2026.1.3
- nixpkgs-unstable 2026.1.3
- nixos-unstable-small 2026.1.3
nixos-25.11 2026.1.3
- nixos-25.11-small 2026.1.3
- nixpkgs-25.11-darwin 2026.1.3

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@talyz Kim Lindberger <kim.lindberger@gmail.com>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>

Untriaged

Permalink CVE-2026-32244

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 1 week, 5 days ago Activity log

Created suggestion 1 week, 5 days ago

Discourse: Cached outdated summaries can leak removed content

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. To work around this issue, restrict summary generation by tightening the allowed groups on the summarization Personas.

References

https://github.com/discourse/discourse/security/advisories/GHSA-hjmg-2mww-vfvx x_refsource_CONFIRM

Affected products

discourse

==< 2026.1.4
==>= 2026.5.0-latest, < 2026.5.0-latest.1
==>= 2026.4.0-latest, < 2026.4.1
==>= 2026.3.0-latest, < 2026.3.1

Matching in nixpkgs

pkgs.discourse

Open source discussion platform

nixos-unstable 2026.1.3
- nixpkgs-unstable 2026.1.3
- nixos-unstable-small 2026.1.3
nixos-25.11 2026.1.3
- nixos-25.11-small 2026.1.3
- nixpkgs-25.11-darwin 2026.1.3

pkgs.discourseAllPlugins

Open source discussion platform

nixos-unstable 2026.1.3
- nixpkgs-unstable 2026.1.3
- nixos-unstable-small 2026.1.3
nixos-25.11 2026.1.3
- nixos-25.11-small 2026.1.3
- nixpkgs-25.11-darwin 2026.1.3

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@talyz Kim Lindberger <kim.lindberger@gmail.com>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>

Untriaged

Permalink CVE-2026-33514

6.0 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 week, 5 days ago Activity log

Created suggestion 1 week, 5 days ago

Discourse: Information Disclosure in Form Template API Due to Missing Authorization

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

References

https://github.com/discourse/discourse/security/advisories/GHSA-w6g7-p2p9-2m5h x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/ae5c9570fb918442c4d96abc83c1e7e169909b02 x_refsource_MISC

Affected products

discourse

==< 2026.1.4
==>= 2026.5.0-latest , < 2026.5.0-latest.1
==>= 2026.4.0-latest, < 2026.4.1
==>= 2026.3.0-latest, < 2026.3.1

Matching in nixpkgs

pkgs.discourse

Open source discussion platform

nixos-unstable 2026.1.3
- nixpkgs-unstable 2026.1.3
- nixos-unstable-small 2026.1.3
nixos-25.11 2026.1.3
- nixos-25.11-small 2026.1.3
- nixpkgs-25.11-darwin 2026.1.3

pkgs.discourseAllPlugins

Open source discussion platform

nixos-unstable 2026.1.3
- nixpkgs-unstable 2026.1.3
- nixos-unstable-small 2026.1.3
nixos-25.11 2026.1.3
- nixos-25.11-small 2026.1.3
- nixpkgs-25.11-darwin 2026.1.3

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@talyz Kim Lindberger <kim.lindberger@gmail.com>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>

Untriaged

Permalink CVE-2026-27481

created 1 month, 4 weeks ago Activity log

Created suggestion 1 month, 4 weeks ago

Discourse: Hidden tag visibility bypass on tag routes

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden (staff-only) tags and its associated data. All Discourse instances with tagging enabled and staff-only tag groups configured are impacted. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-6c9x-3vrp-682x x_refsource_CONFIRM

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-34947

created 1 month, 4 weeks ago Activity log

Created suggestion 1 month, 4 weeks ago

Discourse: Staged user custom fields are exposed on public invite pages

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-4rcw-wq9x-54qw x_refsource_CONFIRM

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32619

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic (e.g., removed from a private category group) could still interact with polls in that topic, including voting and toggling poll status. No content was exposed, but users could modify poll state in topics they should no longer have access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-wq58-pvf6-w4p8 x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/d74ff25db994f06aa27e3466684f613b4e986ba6 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32273

5.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: XSS on category description update via API

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-h2h4-767x-6pc8 x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/05e3da2a670cfd499649128b6c955b552451240b x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.3.0-latest, < 2026.3.0
==>= 2026.1.0-latest, < 2026.1.3

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32607

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Stored XSS via unescaped assignee name

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabled (defaults to false, requires console access to change), user and group display names are rendered without HTML escaping in several assignment-related UI paths. This allows users with assign permission to inject arbitrary HTML/JavaScript that executes in the browser of any user viewing an affected topic. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-xg68-q7ff-6gqm x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/46edb174e237c6e57bda9c494160da0a174fe70d x_refsource_MISC

Affected products

discourse

==>= 2026.3.0-latest, < 2026.3.0
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32615

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Category group moderators can perform actions on topics in restricted categories without read access

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did not have read access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-pr9m-5hpq-wc57 x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/5a00b47523ec70cbb6e8efc3ac7677cc0a91448b x_refsource_MISC

Affected products

discourse

==>= 2026.3.0-latest, < 2026.3.0
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-33185

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Group SMTP test endpoint susceptible to SSRF

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3 x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/e75cf456e8e318290c569bd6e8fa0f2586ffc530 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products