CVE-2026-33393

Published: Mar 19, 2026 Last Modified: Mar 19, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none

Description

AI Translation Available

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection when `example.com` was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by `.`) to prevent suffix-based bypass of `newuser_spam_host_threshold`. No known workarounds are available.

284

Improper Access Control

Incomplete
Abstraction: Pillar Structure: Simple
Common Consequences
Security Scopes Affected:
Other
Potential Impacts:
Varies By Context
Applicable Platforms
Technologies: ICS/OT, Not Technology-Specific, Web Based
View CWE Details
https://github.com/discourse/discourse/commit/80b19c15fe9c7…
https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c84463…
https://github.com/discourse/discourse/commit/d8467b9fbb3d9…
https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a…
https://github.com/discourse/discourse/commit/f99099cfbc6b7…
https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69…
https://github.com/discourse/discourse/security/advisories/…
https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6