Discourse Vulnerabilities
Comprehensive security vulnerability database for Discourse products
2
0
2
0
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-26265 | 7.5 | This vulnerability allows an attacker to access private user information, such as phone numbers and addresses, from all users in a Discourse forum, even if they are not logged in. It occurs because the system does not properly check permissions for certain user data fields, making it easy for anyone to exploit this flaw and collect sensitive information. | discoursediscourse | Exploit Available | about 1 month agoFeb 26, 2026 |
| CVE-2026-26078 | 7.5 | An attacker can send fake webhook messages to a Discourse site, allowing them to create, change, or delete Patreon pledge data if the site's webhook secret is left blank. To prevent this, it's crucial to set a strong, non-empty webhook secret in the site settings. | discoursediscourse | Theoretical | about 1 month agoFeb 26, 2026 |
About Discourse Security
This page tracks all publicly disclosed security vulnerabilities (CVEs) affecting Discourse products. Our database is updated in real-time from the National Vulnerability Database (NVD) and enriched with exploit information from GitHub and other security research sources.
Each CVE listing includes CVSS severity scores, exploit availability status, AI-powered vulnerability summaries, and links to official patches and security advisories.