CVE-2026-27149

by Fred · 26/02/2026

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

More information : https://github.com/discourse/discourse/security/advisories/GHSA-m6qf-h49w-h38w

CVE-2026-27149

Similar

Recent Posts

Categories

CVE-2026-27149

Share this:

Similar

Recent Posts

Categories

Tags