CVE-2026-33394

Published: Mar 19, 2026 Last Modified: Mar 19, 2026
ExploitDB:
Other exploit source:
Google Dorks:
LOW 2,7
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: none
Availability: none

Description

AI Translation Available

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

200

Exposure of Sensitive Information to an Unauthorized Actor

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Application Data
Applicable Platforms
Technologies: Mobile, Not Technology-Specific, Web Based
Likelihood of Exploit: High
View CWE Details
https://github.com/discourse/discourse/commit/3bf3793a70866…
https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091ab…
https://github.com/discourse/discourse/commit/473288219e93c…
https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388…
https://github.com/discourse/discourse/commit/62721429d4402…
https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032…
https://github.com/discourse/discourse/security/advisories/…
https://github.com/discourse/discourse/security/advisories/GHSA-wxvr-pm5c-829p