4.3

CVE-2026-33393

Discourse fixes loose hostname matching in spam host allowlist

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection when `example.com` was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by `.`) to prevent suffix-based bypass of `newuser_spam_host_threshold`. No known workarounds are available.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse Version >= 2026.1.0 < 2026.1.2
DiscourseDiscourse Version >= 2026.2.0 < 2026.2.1
DiscourseDiscourse Version2026.3.0 SwEditionlatest
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.162
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c8446312ac6d2
Patch
https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a37b8a02
Patch
https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69497fb8e
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6
Vendor Advisory