Discourse
discourse.orgA fully open-source, self-hostable discussion platform usable as a mailing list, discussion forum, or long-form chat room.
- Homepage: discourse.org
- GitHub: github.com/discourse/discourse
- Privacy: discourse.org/privacy
- Web info: web-check.xyz/check/discourse.org
Discourse Privacy Policy
Privacy Policy Summary
- You can opt out of promotional communications
- This Service provides a list of Third Parties involved in its operation.
- This service gives your personal data to third parties involved in its operation
- If you are the target of a copyright holder's take down notice, this service gives you the opportunity to defend yourself
- This service is a subsidiary of Civilized Discourse Construction Kit, Inc.
- Information is provided about how your personal data is collected
- Your personal data is not sold
- Information is provided about what kind of personal information is collected
- Logs are deleted after a finite period of time
- You must create an account to use this service
- Your private content may be accessed by people working for the service
- Private messages can be read
- Extra data may be collected about you through promotions
- First-party cookies are used
- A list of all cookies set by the website is provided
- Third parties are involved in operating the service
- Two factor authentication is provided for your account
- Third-party cookies are used for advertising
- Your personal data may be used for marketing purposes
- Your data is processed and stored in a country that is less friendly to user privacy protection
- Third party cookies are employed, but with opt out instructions
- Do Not Track (DNT) headers are ignored and you are tracked anyway even if you set this header
- You can request access, correction and/or deletion of your data
- Your data may be processed and stored anywhere in the world
- The service will resist legal requests for your information where reasonably possible
- The service will try to inform and/or notify you regarding government inquiries that may involve your personal information
- The service claims to be CCPA compliant for California users
- You have the right to leave this service at any time
- This service will continue using anonymized user-generated content after erasure of personal information
- Third-party cookies are used for statistics
- A complaint mechanism is provided for the handling of personal data
- There is a date of the last update of the agreements
- The terms may be changed at any time, but you will receive notification of the changes
- Your personal data is aggregated into statistics
- The service is open-source
- Your personal data will not be used for an automated decision-making
- The service claims to be GDPR compliant for European users
- You can retrieve an archive of your data
- Many third parties are involved in operating the service
Score
Documents
- Copyright PolicyCreated 16 Jan 21, Last modified 2 months ago
- SubprocessorsCreated 24 Apr 26, Last modified 2 months ago
- Master Enterprise Hosting AgreementCreated 24 Apr 26, Last modified 2 months ago
- Self-Serve Hosting TermsCreated 24 Apr 26, Last modified 2 months ago
- Free Trial TermsCreated 24 Apr 26, Last modified 2 months ago
- Privacy PolicyCreated 16 Jan 21, Last modified 2 months ago
Domains Covered by Policy
- discourse.org
- rubytalk.org
About the Data
This data is kindly provided by tosdr.org. Read full report at: #1340
Discourse Source Code
Author
Description
A platform for community discussion. Free, open, simple.
Homepage
https://www.discourse.orgLicense
GPL-2.0
Created
12 Jan 13
Last Updated
04 Jul 26
Latest version
Primary Language
Ruby
Size
935,131 KB
Stars
47,392
Forks
8,948
Watchers
47,392
Language Usage
Star History
Top Contributors
-
@SamSaffron (7004)
-
@eviltrout (6610)
-
@tgxworld (5028)
-
@ZogStriP (4128)
-
@dependabot[bot] (3845)
-
@jjaffeux (3313)
-
@davidtaylorhq (3007)
-
@nlalonde (2682)
-
@awesomerobot (2210)
-
@coding-horror (2166)
-
@cvx (2134)
-
@arpitjalan (1963)
-
@martin-brennan (1811)
-
@pmusaraj (1416)
-
@gschlager (1152)
-
@nbianca (823)
-
@vinothkannans (742)
-
@KrisKotlarek (699)
-
@OsamaSayegh (630)
-
@xfalcox (517)
-
@chapoi (507)
-
@riking (506)
-
@romanrizzi (500)
-
@markvanlan (483)
-
@nattsw (463)
-
@discourse-translator-bot (434)
-
@oblakeerickson (431)
-
@danielwaterworth (414)
-
@Drenmi (406)
-
@dependabot-preview[bot] (385)
-
@jordanvidrine (380)
-
@dbattersby (380)
-
@udan11 (380)
-
@janzenisaac (364)
-
@keegangeorge (287)
-
@renato (286)
-
@AndrewPrigorshnev (283)
-
@Flink (265)
-
@megothss (243)
-
@featheredtoast (217)
-
@hnb-ku (203)
-
@jancernik (156)
-
@tyb-talks (139)
-
@vikhyat (137)
-
@Grubba27 (129)
-
@majakomel (126)
-
@Supermathie (122)
-
@pento (116)
-
@scossar (116)
-
@kubamracek (115)
-
@jbrw (108)
-
@s3lase (106)
-
@jomaxro (97)
-
@erickguan (94)
-
@xrav3nz (87)
-
@velesin (81)
-
@jdmartinez1062 (66)
-
@chrishunt (65)
-
@chancancode (64)
-
@cpradio (61)
-
@tshenry (60)
-
@gdpelican (59)
-
@tobiaseigen (53)
-
@pfaffman (53)
-
@rishabhnambiar (51)
-
@mcwumbly (50)
-
@khalilovcmded (47)
-
@Lhcfl (47)
-
@branquinhoaa (42)
-
@gnunicorn (41)
-
@blake-discourse (40)
-
@LeoMcA (40)
-
@angusmcleod (40)
-
@MeghnaAJ (39)
-
@ellaestigoy (36)
-
@abbat (35)
-
@tms (35)
-
@ofgeek (34)
-
@Elberet (33)
-
@jmperez127 (32)
-
@tannerabread (31)
-
@justindirose (31)
-
@ducks (31)
-
@nullchristo (30)
-
@mpalmer (30)
-
@Qasem-h (30)
-
@rngus2344 (27)
-
@merefield (26)
-
@dmacjam (26)
-
@mrfinch (25)
-
@sketchius (25)
-
@derekrushforth (24)
-
@marstall (24)
-
@small-lovely-cat (24)
-
@Canapin (23)
-
@caugner (21)
-
@nschonni (21)
-
@andrewschleifer (19)
-
@stephankaag (19)
-
@communiteq (19)
Recent Commits
-
Kris (04 Jul 26)
UX: minor padding fix for mobile PM topic map (#41445) Too much left padding on mobile in the PM topic map before <img width="350" alt="image" src="https://github.com/user-attachments/assets/fb5354a8-a01c-4d7d-9e18-a122ea51594c" /> after <img width="350" alt="image" src="https://github.com/user-attachments/assets/f39cb8fa-6035-43e2-ba3a-e97b8eb75a83" />
-
Kris (03 Jul 26)
FIX: avoid double arrow key nav for select-kit-filter (#41443) Currently when you search for a tag in the composer, it requires two arrow key presses to reach the second option, even though the first option is already highlighted. This is because the create option (first row) is pre-highlighted... so arrow down in select-kit calls `this.selectKit.highlightFirst()` and you end up re-highlighting it on the first arrow press. This checks if a row is pre-highlighted to avoid `highlightFirst` and instead fires `highlightNext` (and the opposite for up arrow cases)
-
Jordan Vidrine (03 Jul 26)
UX: Remove new height variables from foundation modernization (#41440)
-
Michael Brown (03 Jul 26)
DEV: remove x-real-ip references (#41371) Discourse (rails) doesn't actually use the `x-real-ip` header, so remove it from the sample nginx configuration. Discourse was also logging it in `discourse/lib/discourse_logstash_logger.rb`, but it doesn't actually mean anything to the application so there's no point in doing so.
-
Gabriel Grubba (03 Jul 26)
SECURITY: Filter private subcategory counts from category listings (#41384) The category list aggregate topic counts included direct subcategories without checking whether the current guardian could see them. Before we the only possible information that could be gotten was: - private subcategory topic counts - recency buckets for topic creation: day/week/month/year/all-time Co-authored-by: discourse-patch-triage <272280883+discourse-patch-triage[bot]@users.noreply.github.com>
-
Renato Atilio (03 Jul 26)
FIX: Keep quotes around wrap bbcode attribute values with spaces (#41429) The rich text editor's wrap serialize/parse helpers are meant to mirror the server bbcode parser, but they never handled quoting: `serializeAttributes` emitted bare `key=value` pairs and `parseAttributesString` split on whitespace. So a value containing spaces such as `repo-name="Homepage Feature"` was rewritten as `repo-name=Homepage Feature` on the next markdown/RTE toggle, breaking the bbcode. `serializeAttributes` now wraps values that contain whitespace in double quotes, matching how `[quote=...]` already serializes. `parseAttributesString` reconstructs the tag and delegates to the markdown-it `parseBBCodeTag`, so it reads quoted values back in full parity with the server (every supported quotation mark, not just double quotes), keeping the round-trip lossless.
-
Penar Musaraj (03 Jul 26)
DEV: Apply different first-day limits for TL0 and TL1 (#41433) Two changes here: - the first-day limits clock now starts when user account is created (previously, it was starting when the first post was created) - TL1 gets its own limits, by default 6 topics and 30 replies, configurable via its own site settings `tl1_max_topics_in_first_day`, `tl1_max_replies_in_first_day` I'm not thrilled to add yet another site setting here, but this change is useful, it allows better separation between TL0 and TL1 in a critical first day of use. Context in https://meta.discourse.org/t/bootstrap-mode-is-legacy/402468/17?u=pmusaraj
-
Penar Musaraj (03 Jul 26)
DEV: auto-silence only if a post is queued (#41435) A new user could previously get in a permanent silenced state by simply uploading 2 or more media items in their first post by uploading quickly and not adding any content. Our code would silence them (via fast typing detection) and not queue the reviewable because the post would be rejected, from `newuser_max_embedded_media`. This fix ensures that the silence only happens if the post is queued for review.
-
Rafael dos Santos Silva (03 Jul 26)
DEV: Add `full-page-refresh-on-navigation` value transformer (#41436) Previously, when a new client version was deployed, the next navigation always became a full page load, which destroyed long-lived client state ā for example dropping users out of an ongoing voice call. This change wraps that decision (in `DiscourseURL#routeTo` and `DNavItem`) in a new `full-page-refresh-on-navigation` value transformer, so plugins can defer the reload while such state is active; the refresh then happens on the first navigation after the transformer stops deferring it. Co-authored-by: David Taylor <[email protected]>
-
David Taylor (03 Jul 26)
DEV: Drop (almost)-unused `TopicEntrance` component (#41424) We stopped using this UI in most topic lists as part of the raw-hbs -> glimmer conversion, since it was seldom-used, and simple links are a better UX. However, the implementation remained, and it was still accessible in some very specific places (e.g. user-activity/topics on mobile devices). This commit strips out the implementation, so we have consistent behavior across all topic lists.
-
David Taylor (03 Jul 26)
DEV: Drop unused `decorateCooked` from discourse-details (#41426) This has been a no-op since 8f2f9e6afa0 in 2020, when we removed the JS polyfill of `<details>`
-
David Taylor (03 Jul 26)
DEV: Convert caret-position from JQuery to vanilla JS (#41428) This was verified by a/b testing a large number of scenarios against old and new implementations, and confirming that they returned precisely identical coordinates.
-
David Taylor (03 Jul 26)
DEV: Convert reactions animations from JQuery to native (#41427)
-
David Taylor (03 Jul 26)
DEV: Drop jquery in patreon plugin (#41425) This was doing direct manipulation of ember-rendered DOM, which is risky. This commit changes it to be a simple non-animated closure, which is safer, and more in line with other Discourse UX.
-
David Taylor (03 Jul 26)
DEV: Remove jquery usage from `lib/url` (#41422)
-
David Taylor (03 Jul 26)
DEV: Remove jquery from select-kit-helper and category-badge-test (#41421) - The 'selectAll' path in the select-kit-helper is completely unused, so we can just drop it - Update HTML parsing in category-badge-test
-
discoursebot (03 Jul 26)
FEATURE: Bump ai_bot_enable_docked_composer upcoming change to beta (#40922) <!-- upcoming-change-status-pr:ai_bot_enable_docked_composer --> This automated PR moves `ai_bot_enable_docked_composer` from `alpha` to `beta` after 14+ days without a status change. - Last status change commit: [`b3b561e5fad412c038e222499ebe22050b4a8de4`](https://github.com/discourse/discourse/commit/b3b561e5fad412c038e222499ebe22050b4a8de4) - Last status change date: `2026-05-04T09:26:32-07:00` - Settings file: `plugins/discourse-ai/config/settings.yml` - Original author: Keegan George (<[email protected]>) - Original PR: #39708
-
RƩgis Hanol (03 Jul 26)
UX: Normalize automatic membership email domains (#41434) Previously, entering an automatic membership email domain that included an `@` (such as `@acme.io` or a pasted email or URL) warned the admin and blocked the save until they hand-edited it down to a bare domain. This change quietly normalizes those entries to the bare domain ā stripping any scheme, path, port, `@` prefix, casing, and surrounding whitespace ā so common paste mistakes just work, while the server still rejects genuinely invalid domains on save. Follow up to #41233
-
Gerhard Schlager (03 Jul 26)
MT: Let a generated model declare its conflict strategy in the schema DSL The per-table merge policy reads `conflict_strategy` off each model, but only the hand-written `upload` model could declare it ā a generated model always got a plain `INSERT` because the generator has no notion of a conflict clause. This adds a `conflict_strategy :ignore` directive to the table DSL and threads it through to `ModelWriter`, so a generated model can opt into `INSERT OR IGNORE`: the writer emits both the `OR IGNORE` SQL and a `self.conflict_strategy` method, which is what `IntermediateDB.conflict_strategy_for` reads at run time. It defaults to `:raise` and only emits anything for `:ignore`, so every existing generated model regenerates byte-for-byte. No table uses it yet ā `uploads` stays a manual model ā but the option now lives in the schema config where the rest of a table's shape is declared.
-
Gerhard Schlager (03 Jul 26)
MT: Only use INSERT OR IGNORE for tables that want it in the shard merge The sharded write path (#41262) merges every shard table with `INSERT OR IGNORE`. That's right for `uploads`, but for every other table it silently swallows a genuine cross-step/cross-shard duplicate row that the single-writer path would have raised on ā so a concurrency bug that doubles a key becomes silent data loss with no error and no baseline to diff against. This scopes the `OR IGNORE` back to just the tables that actually want it, derived from the models rather than a hardcoded table name: - `IntermediateDB.conflict_strategy_for(table)` resolves a table's model and reads its declared `conflict_strategy`, defaulting to `:raise`. - Only `upload` declares `:ignore` (its rows are content-identical for a given id-hash, so first-writer-wins is intended). A future `OR IGNORE` model flips its own merge clause with no change to the merge code. - `Connection#merge_database` takes `dedupe_tables:` and picks the clause per table; a plain-table conflict raises, wrapped with the table name, and the error surfaces through `Consolidator#drain` as a run failure. This restores the earlier behaviour where a genuine duplicate on a plain table is an error, not a dropped row.
-
Gabriel Grubba (03 Jul 26)
FIX: Ignore title parameter during public signup (#41381) Public account creation accepted `title` from non-admin signup requests, allowing a new user to assign themselves an arbitrary visible profile title before normal title authorization checks could apply. Ignore `title` for non-admin account creation, matching the existing treatment of primary/flair group parameters. Admin API user creation remains unchanged. Co-authored-by: discourse-patch-triage <272280883+discourse-patch-triage[bot]@users.noreply.github.com>
-
Gabriel Grubba (03 Jul 26)
DEV: outlet for thread actions (#41382) This adds an outlet for both thread actions in drawer and full page mode
-
Joffrey JAFFEUX (03 Jul 26)
FEATURE: adds user-search trigger to workflows (#41423) Adds a new trigger node: user-search. This will trigger when a user is doing a non empty search through the UI. To make it possible: - a new DiscourseEvent trigger has been created: user_search - the workflows cache has been improved/simplified to allow for different kind of triggers/nodes
-
David Taylor (03 Jul 26)
FIX: Prevent error when a reviewable claim is broadcast for a topicless reviewable (#41418) Previously, claiming a topic in the review queue threw `Cannot read properties of null (reading 'id')` in every `ReviewableItem` whose reviewable had no associated topic (e.g. `ReviewableUser` or a queued new topic), because `_updateClaimedBy` dereferenced `this.reviewable.topic.id` on the `/reviewable_claimed` broadcast. This change compares against the existing `topicId` getter, which safely resolves the topic id and lets topicless reviewables ignore the broadcast instead of erroring.
-
David Taylor (03 Jul 26)
DEV: Use `sinon` to stub `capabilities.touch` (#41419) Using `Object.defineProperty` means that it persists and affects other tests in the suite Followup to 64d03062de
-
chapoi (03 Jul 26)
UX: fix topic title edit aligments (#41417) The translation info increased the size of the `edit-title__wrapper`, which in turn broke the absolute positioning (necessary evil) of the AI helper button. This commit moves `editing-localization-indicator` a parent up, to `edit-topic-title`, so it's just part of the flex layout and no longer interferes with the wrapper. | Then | Now | |--------|--------| | <img width="822" height="203" alt="CleanShot 2026-07-03 at 11 44 09" src="https://github.com/user-attachments/assets/ce525ab1-2028-43a3-86cd-61be5ae66779" /> | <img width="822" height="203" alt="CleanShot 2026-07-03 at 11 43 35" src="https://github.com/user-attachments/assets/58aa1c28-2f65-469c-9769-08279062ad16" /> |
-
Natalie Tay (03 Jul 26)
SECURITY: Restrict user action removal messages (#41405) Scope UserAction removal MessageBus publishes to the affected user so unrelated clients cannot receive removal metadata.
-
Gerhard Schlager (29 Jun 26)
MT: Run conversion steps concurrently and split the heavy ones across cores This is the big one I've been building up to across the step-concurrency series: the converter now uses every core instead of grinding through one step at a time on a single CPU. The win scales with the number of cores, so the figure depends on the machine. On my laptop, running all the currently implemented Discourse converter steps dropped from 102s to 18s, about 5.5x faster, with all cores busy the whole time. Two things were slow before: steps ran one after another, and the few genuinely large steps (topic_users above all) ran single-threaded even when nothing else was happening. This PR tackles both. Concurrent steps. A dependency-aware scheduler runs independent steps at the same time, each with its own source connection. It's event-driven: as soon as a step finishes, it frees its fork and the next ready step starts, so the cores don't sit idle between steps. How many run at once is bounded by the cores it can use, and `--max-parallel-steps` lowers it. A pull model for workers. Instead of the parent reading every row and streaming items down a pipe to the workers, each worker now opens its own source connection and reads its own slice directly. Only progress goes back over the pipe, and only once every thousand items, so it's never the bottleneck. The parent's single-threaded read was the real ceiling, and this removes it, along with a fair bit of machinery (the old worker pool, the item serialization, the handshake). Partitioning the heavy steps. A step opts in with `partition_by`, and the scheduler splits it across forks, each reading one chunk of the key range. I kept it general: a dense numeric key is divided into even chunks straight from a cheap MIN/MAX, while a sparse numeric key or a text/UUID or composite key falls back to a sorted-key scan so every chunk holds a similar number of rows whatever the key type. The dialect-specific SQL lives in the Postgres adapter, so other sources can fill in their own later. One caveat I documented on `partition_by`: only use it on steps whose processing is order-independent, since the forks run concurrently and their output is merged. Sharded writes. Each worker writes to its own SQLite shard, and a background consolidator folds finished shards back into the run database off the step's critical path, so a step no longer lingers at 100% while its merge runs. Reliability. A bad row or a worker that dies mid-step no longer hangs the run or takes down the other steps running at the same time: failures are caught and surfaced per step. Debugging. Forks make a debugger awkward, so there's a `--no-fork` flag: it runs each step inline in the main process, one at a time, so a breakpoint in a step's `process` stops where you can actually use it. The data path is the same (it still writes a shard the consolidator merges), only the fork is gone. Output order is no longer deterministic with concurrency, so to check correctness I added a small dev script under `migrations/tooling/scripts` that compares two IntermediateDBs order-insensitively and used it to confirm a parallel run produces the same data as a serial one. The gem suites are green.
-
David Taylor (03 Jul 26)
FIX: Stop asset-processor build from loading tsconfig (#41415) Our tsconfig is designed for development use only, and is not needed for a successful asset-processor build. In most cases, it didn't cause a problem. However, if someone does `rm -rf` on a core plugin, then it causes core's tscconfig to become invalid, which then breaks the asset-processor build.
-
Discourse Translator Bot (03 Jul 26)
I18N: Update translations (#41407)
Discourse Security
Security Advisories (100)
- medium Patched CVSS 4.3
CVE-2026-44779 Bot debug endpoints disclose whisper translation audit logs
- medium Patched CVSS 4.3
CVE-2026-44782 GroupPostSerializer leaks hidden full names through reaction post association
- medium Patched CVSS 5.4
CVE-2026-44783 Replying to a whisper lets non-whisperers create staff-only whisper posts
- high Patched CVSS 7.5
CVE-2026-44786 Public chat MessageBus broadcasts are not restricted to chat-eligible users
- medium Patched CVSS 5.3
CVE-2026-45085 Chat misauthorization and information disclosure
- medium Patched CVSS 6.5
CVE-2026-44784 Non-staff group owners can see email password in plaintext through group history
- medium Patched CVSS 4.3
CVE-2026-44785 Hidden reply-to post raw can be disclosed through AI explain prompts
- medium Patched CVSS 6.8
CVE-2026-45775 Cross-site backup access via path traversal in multisite local backups
- medium Patched CVSS 5.3
CVE-2026-47264 Don't leak restricted tag group names via tag info
- low Patched
CVE-2026-34154 Subscription access bypass in discourse-subscriptions plugin
- medium Patched CVSS 4.3
CVE-2026-32951 Authorization bypass in oneboxer via user-controlled category id
- low Patched
CVE-2026-33415 Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure
- low Patched
CVE-2026-33073 discourse-subscriptions plugin leaking stripe API key in multisite environment
- medium Patched
CVE-2026-33074 Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions
- medium Patched
CVE-2026-33300 Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint
- medium Patched
CVE-2026-33185 Group SMTP test endpoint susceptible to SSRF
- medium Patched
CVE-2026-33514 Information Disclosure in Form Template API Due to Missing Authorization
- medium Patched CVSS 4.3
CVE-2026-44780 Category queue reviewers can read raw incoming emails from queued posts
- low Patched
CVE-2026-34947 Staged user custom fields are exposed on public invite pages
- medium Patched CVSS 4.3
CVE-2026-47263 Prevent webhook payload disclosure on event redelivery
- medium Patched CVSS 5.3
CVE-2026-31805 Poll authorization bypass via post_id array parameter
- medium Patched
CVE-2026-31869 Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check
- medium Patched
CVE-2026-32620 Missing post-level authorization allows whisper metadata disclosure
- medium Patched
CVE-2026-32619 Insufficient topic visibility check allows unauthorized poll manipulation in private categories
- low Patched
CVE-2026-33427 Discourse Authorization Page Displays Unvalidated Redirect Domain
- medium Patched
CVE-2026-32113 Open redirect via `sso_destination_url` cookie in `enter`
- medium Patched
CVE-2026-32143 Admin-only report can be exported by moderators
- medium Patched
CVE-2026-32243 Stored XSS in discourse-ai shared conversations onebox
- medium Patched
CVE-2026-32615 Category group moderators can perform actions on topics in restricted categories without read access
- low Patched
CVE-2026-32607 Stored XSS via unescaped assignee name
- medium Patched CVSS 4.3
CVE-2026-32618 Unauthorized channel membership inference via excluded_memberships_channel_id
- medium Patched CVSS 5.4
CVE-2026-33410 Harden chat DM channel creation and expansion
- medium Patched CVSS 6.5
CVE-2026-33355 Filter whisper posts from private-posts feed
- medium Patched CVSS 4.3
CVE-2026-32099 Prevent hidden profile data leak via user onebox
- low Patched CVSS 2.7
CVE-2026-33394 Do not leak PM post edits to moderators
- medium Patched CVSS 4.3
CVE-2026-33393 Fix loose hostname matching in spam host allowlist
- medium Patched CVSS 5.3
CVE-2026-27454 Check revision visibility on posts endpoint
- medium Patched
CVE-2026-27154 XSS when editing a malicious post
- medium Patched
CVE-2026-27153 Prevent moderators from exporting user Chat DMs
- medium Patched
CVE-2026-27151 Validate destination topic when moving posts
- medium Patched
CVE-2026-27162 Prevents whispers to leak in excerpts
- medium Patched
CVE-2026-27152 DM communication-preference bypass when adding members
- medium Patched
CVE-2026-27150 Ensure guardian check when creating QueryGroupBookmark
- high Patched
CVE-2026-27149 SQL injection in PM tag filtering
- medium Patched CVSS 5.4
CVE-2026-26207 Lack of post access check in discourse-policy
- high Patched CVSS 7.5
CVE-2026-26265 IDOR vulnerability in the directory items endpoint
- medium Patched CVSS 4.3
CVE-2026-26973 Scope reviewable notes to user-visible reviewables
- low Patched CVSS 2.2
CVE-2026-33408 Improper Authorization in "Post Edits" Report For Moderators
- medium Patched CVSS 4.1
CVE-2026-27166 HTML injection via prohibited iframe URLs
- medium Patched CVSS 4.4
CVE-2026-33395 Stored clickābased XSS via Graphviz SVG javascript: links
- medium Patched
CVE-2026-27491 Bypass of official warnings messages by non-staff users
- medium Patched
CVE-2026-27021 Poll voters endpoint lacked post visibility checks
- medium Patched
CVE-2026-27481 Hidden tag visibility bypass on tag routes
- medium Patched
CVE-2026-27740 Stored XSS in AI Triage Automation
- medium Patched
CVE-2026-27570 Stored XSS via Shared AI Conversation Onebox
- medium Patched
CVE-2026-27936 Restricted post-action counts are disclosed to non-privileged users
- high Patched
CVE-2026-27934 Private topic title and post excerpt leaked via user action API endpoint
- medium Patched
CVE-2026-27935 Private topic metadata leaked to non-authorised users
- low Patched
CVE-2026-28282 Group membership addition permission bypass via discourse-policy plugin
- high Patched
CVE-2026-29072 Missing permission check for policy creation in discourse-policy
- medium Patched
CVE-2026-33291 User can create zendesk tickets even when it does not have access to topic
- medium Patched
CVE-2026-32114 Unscoped status lookups leak restricted metadata
- medium Patched CVSS 5.3
CVE-2026-32244 Cached outdated summaries can leak removed content
- medium Patched CVSS 5.4
CVE-2026-32273 XSS on category description update via API
- medium Patched
CVE-2026-33425 Private group membership or existence inferable via exclude_groups parameter
- high Patched
CVE-2026-33428 Unauthorized Access to Deleted Posts Index via Group Membership
- medium Patched
CVE-2026-30891 Unauthorized Exposure of Private User Action Types
- medium Patched
CVE-2026-30889 Unauthorized Post Data Exposure in discourse-user-notes
- medium Patched CVSS 5.4
CVE-2026-33411 Solved topic stream has potential stored XSS in topic title
- medium Patched CVSS 5.4
CVE-2026-33251 Hidden Solved topics permission bypass
- low Patched
CVE-2026-30888 Moderator privilege escalation via arbitrary post_id in suspend/silence endpoint
- medium Patched CVSS 5.9
CVE-2026-33424 PM access granted through invites after access revocation
- low Patched
CVE-2026-33423 Staff can modify any user's group notification level
- low Patched CVSS 3.5
CVE-2026-33426 Users can edit or synonymize hidden tags they can't see
- low Patched CVSS 3.5
CVE-2026-33422 ip_address of flagged user exposed
- high Patched CVSS 7.5
CVE-2026-26078 Authentication bypass vulnerability in the Patreon plugin webhook endpoint
- medium Patched
CVE-2025-68660 AI Discover's continue conversation allows to impersonate user
- medium Patched CVSS 4.3
CVE-2025-68659 DoS vulnerability in username change endpoint
- medium Patched
CVE-2025-68666 Users archives leaked to users with moderation privileges
- high Patched
CVE-2025-69218 Moderators can access admin-only reports exposing private upload URLs
- medium Patched
CVE-2025-69289 Insecure default configuration allows non-admin moderators to non-staff accounts via email change
- low Patched
CVE-2026-26979 TL4 users are able to change status of restricted topics
- medium Patched CVSS 6.5
CVE-2026-24742 Staff action logs expose sensitive information to moderators
- high Patched CVSS 7.1
CVE-2025-68479 Subscriptions are susceptible to takeover
- high Patched CVSS 7.6
CVE-2025-68662 FinalDestination hostname matching allows SSRF protection bypass
- medium Patched
CVE-2025-64528 Users are able to find users by name even when `enable_names` is off
- medium Patched
CVE-2026-23743 Permalinks to restricted resources leak resource slugs to unauthorized users
- medium Patched CVSS 6.5
CVE-2026-21865 Topic conversion permission vulnerability for moderators
- medium Patched
CVE-2026-28218 Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution
- low Patched CVSS 3.5
CVE-2025-58054 XSS when quoting chat messages via channel title and thread title in RTE
- medium Patched CVSS 4.3
CVE-2025-58055 Insecure Direct Object Reference via AI Suggestions
- medium Patched
CVE-2025-61598 Missing Cache-Control response header on error responses
- medium Patched CVSS 6.5
CVE-2026-26077 Ensures webhooks require a token
- medium Patched
CVE-2026-28227 Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category
- low Patched
CVE-2026-28219 Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners
- medium Patched CVSS 6.9
CVE-2025-68933 Non-admin moderators can exfiltrate private content via post ownership transfer
- medium Patched CVSS 6.5
CVE-2025-68934 Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint
- medium Patched CVSS 4.6
CVE-2025-66488 Script execution in uploaded HTML/XML files on S3
- medium Patched
CVE-2025-59337 Backup restore meta-command injection leading to cross-site data access in multisite environments
- low Patched
CVE-2025-54411 Welcome banner user name XSS
Discourse Website
Website
Discourse | Where Tech Companies Build Communities
The customizable, scalable community platform powering over 22,000 communities. Create knowledge through conversation.
Redirects
Does not redirect
Security Checks
All 65 security checks passed
Server Details
- IP Address 13.32.179.16
- Hostname server-13-32-179-16.atl59.r.cloudfront.net
- Location Atlanta, Georgia, United States of America, NA
- ISP Amazon.com Inc.
- ASN AS16509
Associated Countries
-
US -
CA
Safety Score
Website marked as safe
100%
Blacklist Check
www.discourse.org was found on 0 blacklists
- AntiSocial Blacklist
- Artists Against 419
- Badbitcoin
- Bambenek Consulting
- CERT Polska
- CoinBlockerLists
- CRDF
- CryptoScamDB
- EtherAddressLookup
- EtherScamDB
- Fake Website Buster
- MetaMask EthPhishing
- NABP Not Recommended Sites
- OpenPhish
- PetScams
- PhishFeed
- PhishFort
- Phishing.Database
- PhishStats
- PhishTank
- Phishunt
- RPiList Not Serious
- Scam.Directory
- SecureReload Phishing List
- Spam404
- StopGunScams
- Suspicious Hosting IP
- ThreatFox
- ThreatLog
- TweetFeed
- URLhaus
- ViriBack C2 Tracker
Website Preview
Discourse Reviews
More Social Networks
-
A federated, open-source link aggregator and discussion platform, similar to Reddit. Built on ActivityPub. Wide range of cross-platform client apps.
-
An open-source, distributed social media platform functioning similarly to Twitter, without algorithmic timeline manipulations. It operates across independent servers.
-
nostr stands for Notes and other stuff transmitted by relays. It is an open protocol, not merely a platform. This distinction enables truly censorship-resistant and global value-for-value publishing on the web. With the power to replace data-greedy applications like Twitter and Instagram, nostr offers a promising alternative for users seeking a more private and secure online experience without algorithmic manipulations. ".... I feel like Iām looking at the future." that is what Snowden wrote about nostr.
About the Data: Discourse
API
You can access Discourse's data programmatically via our API. Simply make a GET request to:
https://api.awesome-privacy.xyz/v1/services/discourse The REST API is free, no-auth and CORS-enabled. To learn more, view the API Docs or read the API Usage Guide.
Share Discourse
Help your friends compare Social Networks, and pick
privacy-respecting software and services.
Share Discourse and Awesome Privacy with your network!