2.7

CVE-2026-33394

Discourse leaks PM post edits to moderators

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse Version >= 2026.1.0 < 2026.1.2
DiscourseDiscourse Version >= 2026.2.0 < 2026.2.1
DiscourseDiscourse Version2026.3.0 SwEditionlatest
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.29% 0.207
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 2.7 1.2 1.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c
Patch
https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1
Patch
https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-wxvr-pm5c-829p
Vendor Advisory