Discourse Vulnerabilities
Comprehensive security vulnerability database for Discourse products
2
0
2
0
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-26207 | 5.4 | This vulnerability allows any authenticated user to manipulate policies on posts they shouldn't be able to access, including private posts, and to discover which posts have policies based on error messages. It affects users of the discourse platform who have the `discourse-policy` plugin enabled and can be fixed by upgrading to the latest versions or disabling the plugin altogether. | discoursediscourse | Exploit Available | about 1 month agoFeb 26, 2026 |
| CVE-2026-26077 | 6.5 | This vulnerability allows attackers to send fake data to certain email service integrations on the Discourse platform, which can lead to legitimate user emails being mistakenly marked as undeliverable. It occurs when no authentication token is set up, meaning attackers can exploit this weakness without needing any special access. | discoursediscourse | Theoretical | about 1 month agoFeb 26, 2026 |
About Discourse Security
This page tracks all publicly disclosed security vulnerabilities (CVEs) affecting Discourse products. Our database is updated in real-time from the National Vulnerability Database (NVD) and enriched with exploit information from GitHub and other security research sources.
Each CVE listing includes CVSS severity scores, exploit availability status, AI-powered vulnerability summaries, and links to official patches and security advisories.