Primary

Context

Discourse SQL Injection Vulnerability in Private Message Tag Filtering

Vulnerability

Patched

A SQL injection vulnerability has been identified in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0. This vulnerability occurs in the private message tag filtering feature, specifically within the 'list_private_messages_tag' function. It allows users to bypass tag filter conditions, potentially leading to the unauthorized disclosure of private message metadata.

Impact

Exploitation of this vulnerability could result in unauthorized access to private message metadata by bypassing tag filter conditions.

Remediation

Users are advised to upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0.

Added: Feb 26, 2026, 9:32 PM

Updated: Feb 26, 2026, 9:32 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse SQL Injection Vulnerability in Private Message Tag Filtering

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating