These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-47264 is an information disclosure vulnerability in Discourse's DetailedTagSerializer. Versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 are affected. The vulnerability allows anonymous and unprivileged users to read the names of tag groups restricted to specific user groups or non-visible categories when SiteSetting.tags_liste [truncated]
CVE-2026-47263 is a medium-severity vulnerability in Discourse, an open-source discussion platform. The issue allows authenticated users to access webhook events due to a missing group ID in the MessageBus.publish call. This vulnerability affects Discourse versions from 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1. The vulnerability has bee [truncated]
CVE-2026-45775 is a MEDIUM severity vulnerability in Discourse, an open-source discussion platform. A path traversal issue in backup handling could allow an authenticated administrator on one site in a multisite deployment to access backup files belonging to another site when backups are stored locally. Specifically, an admin on Site A could potentially retrieve sensitive backup data from Site B (same hos [truncated]
CVE-2026-45085 is a MEDIUM-severity vulnerability (CVSS Score: 5.3) affecting the Discourse open-source discussion platform. Specifically, it impacts sites with the chat plugin enabled, and additionally requires discourse-calendar for the calendar issue. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosu [truncated]
CVE-2026-44786 is a HIGH severity vulnerability in Discourse, an open-source discussion platform. Chat events for public category channels were published to MessageBus without permission scoping. This allowed any MessageBus subscriber without chat enabled to receive chat message payloads in real time. The affected versions are from 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, an [truncated]
CVE-2026-44785 is a vulnerability in the Discourse open-source discussion platform. The AI 'explain' helper only checks can_see? on the post being explained, not its reply_to_post. This allows any authenticated user with access to the AI helper to read the raw contents of a hidden parent post by invoking 'Explain' on a reply to it. The affected versions are from 2026.1.0-latest to before 2026.1.4, 2026.3. [truncated]
CVE-2026-44784 is a vulnerability in Discourse, an open-source discussion platform. The issue affects versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1. In these versions, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext via the group history log (/groups/:name/log [truncated]
CVE-2026-44783 is a medium-severity vulnerability in the Discourse discussion platform. A flaw in handling replies to whisper posts allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affe [truncated]
CVE-2026-44782 is a vulnerability in Discourse, an open-source discussion platform. The issue involves an incorrect predicate in GroupPostSerializer, leading to unintended serialization of user names. Versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 are affected. The vulnerability has been patched in versions 2026.1.4, 2026.3.1, 2026.4 [truncated]
CVE-2026-44780 is an information disclosure vulnerability affecting Discourse, an open-source discussion platform. The vulnerability exists in versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1. The issue arises from the ReviewableQueuedPostSerializer unconditionally including payload[raw_email] for posts that arrived via incoming email. [truncated]
CVE-2026-44779 is a vulnerability in Discourse, an open-source discussion platform. Bot debug endpoints disclose whisper translation audit logs. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
CVE-2026-34154 is a low-severity access-control issue in Discourse’s discourse-subscriptions plugin. According to the official advisory and NVD record, affected deployments before 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 could allow users to gain access to subscription-gated groups without completing payment. The flaw is tracked as CWE-862 (improper authorization) and was publicly disclosed on 2026-05-19.
An authenticated information disclosure vulnerability exists in Discourse's form templates feature. Affected versions fail to enforce category-level authorization checks when retrieving form template metadata, allowing any authenticated user to read template names and structured content intended for restricted categories. The vulnerability requires the form templates feature to be enabled and valid user a [truncated]
A vulnerability in Discourse, an open-source discussion platform, allows outdated cached AI summaries to leak removed content to anonymous and unprivileged users who cannot regenerate summaries. The issue affects versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. The vulnerability stems from improper handling of cached AI-generated summaries when underlying content has been removed or [truncated]
CVE-2026-44028 was publicly disclosed on 2026-05-05 and updated on 2026-05-09. The issue affects Nix and Lix and centers on unbounded recursion in the NAR (Nix Archive) parser. In the affected code path, a stack overflow on a coroutine stack without a guard page can corrupt heap memory, which may lead to arbitrary code execution as the Nix daemon runs as root in multi-user deployments if ASLR hardening is [truncated]
