Discourse, the open‑source discussion platform, contains a flaw that allows a moderator to craft a request to the suspend/silence endpoint with an arbitrary post_id. Through this avenue the moderator can edit site policy documents—such as the Terms of Service, community guidelines, and privacy policy—that are normally protected from modification. This flaw removes a critical guardrail, enabling the unauthorized alteration of the legal and operational framework of the site.

The vulnerability affects Discourse releases older than 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2. Any installation running one of those pre‑patched versions is susceptible. The affected product is identified as Discourse by the CNA, and the specific versions are listed in the advisory.

The CVSS score of 2.2 indicates a low severity rating, and an EPSS score of less than 1% suggests that exploitation is unlikely in the wild. The description does not indicate an external attack vector; based on the information, it is inferred that the exploit requires a moderator account, which is a role normally granted to trusted staff. Because the vulnerability is not present in the CISA KEV catalog, there is no evidence of active exploitation. The overall risk to an organization is therefore low, assuming that only legitimate moderators have access and have not abused their elevated permissions.