Nixpkgs security tracker

Untriaged

Permalink CVE-2026-32113

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Open redirect via `sso_destination_url` cookie in `enter`

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true without validating the destination URL. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies are client-controlled and can be set by attackers. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-378j-ccw4-4fwh x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/080408b93d00305b51d71f63f755f43fa601884d x_refsource_MISC
https://meta.discourse.org/t/using-discourse-as-a-sso-provider/32974 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.3.0-latest, < 2026.3.0
==>= 2026.1.0-latest, < 2026.1.3

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32143

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Admin-only report can be exported by moderators

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for admins. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-rhjf-mgqw-37wq x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/727029a2983a14b50bce19439fbf9840db8372aa x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32951

4.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Authorization bypass in oneboxer via user-controlled category id

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a category_id parameter matching the shared drafts category. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-v93g-8f4f-4rgm x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/0b4e6ff170362823d1cfe2a1a096785d0d77ee83 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.3.0-latest, < 2026.3.0
==>= 2026.1.0-latest, < 2026.1.3

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32618

4.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3 x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-33074

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tier subscription. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-9vg5-mp49-xghh x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/c34f2aac8dcd1ae2886fa84256f607bc003f9d80 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32620

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Missing post-level authorization allows whisper metadata disclosure

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content was exposed, only metadata about who read the post and when. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65 x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/bf8dbf6155ae483245d42a0164181bc226af674d x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.3.0-latest, < 2026.3.0
==>= 2026.1.0-latest, < 2026.1.3

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-32243

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Stored XSS in discourse-ai shared conversations onebox

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted conversation titles. This payload would execute in the browser of any user viewing the onebox preview, potentially allowing session hijacking or unauthorized actions on behalf of the victim. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-pjc5-8x3w-rfwx x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/cac7d618a562ce934f8dbf73cdb70066a4806b4c x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-33300

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-33415

created 2 months ago Activity log

Created suggestion 2 months ago

Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/e1bb146a1fadc863a516fbc26c6277273a025308 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.1.0-latest, < 2026.1.3
==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Untriaged

Permalink CVE-2026-33073

created 2 months ago Activity log

Created suggestion 2 months ago

discourse-subscriptions plugin leaking stripe API key in multisite environment

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across sites within the same multisite cluster. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

https://github.com/discourse/discourse/security/advisories/GHSA-f866-8fcp-fgvv x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/c34f2aac8dcd1ae2886fa84256f607bc003f9d80 x_refsource_MISC

Affected products

discourse

==>= 2026.2.0-latest, < 2026.2.2
==>= 2026.3.0-latest, < 2026.3.0
==>= 2026.1.0-latest, < 2026.1.3

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2026.1.2
- nixpkgs-unstable 2026.1.2
- nixos-unstable-small 2026.1.2
nixos-25.11 2026.1.2
- nixos-25.11-small 2026.1.2
- nixpkgs-25.11-darwin 2026.1.2

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers

References

Affected products