{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33394", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.169Z", "datePublished": "2026-03-19T22:06:06.572Z", "dateUpdated": "2026-03-20T18:36:24.612Z"}, "containers": {"cna": {"title": "Discourse leaks PM post edits to moderators", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-wxvr-pm5c-829p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wxvr-pm5c-829p"}, {"name": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c"}, {"name": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1"}, {"name": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:06:06.572Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-wxvr-pm5c-829p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T18:32:28.891916Z", "id": "CVE-2026-33394", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:36:24.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33394", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T18:32:28.891916Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:36:17.004Z"}}], "cna": {"title": "Discourse leaks PM post edits to moderators", "source": {"advisory": "GHSA-wxvr-pm5c-829p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-wxvr-pm5c-829p", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-wxvr-pm5c-829p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c", "name": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1", "name": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800", "name": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:06:06.572Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33394", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:36:24.612Z", "dateReserved": "2026-03-19T17:02:34.169Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:06:06.572Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "id": "CVE-2026-33394", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:42.660", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wxvr-pm5c-829p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-19T23:40:33.056922+00:00", "value": {"mitigation_remediation": ["Upgrade Discourse to version 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2 (or any later release that includes the fix).", "Verify that the /admin/reports/post_edits interface no longer displays private message content."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Discourse by the vendor discourse:discourse. The vulnerability is present in all releases preceding 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2. These specific versions contain the patch that prevents the leak.", "description_and_impact": "Discourse is an open\u2011source discussion platform that allows moderators to view post edits through the admin report (/admin/reports/post_edits). Prior to versions 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2, the report leaked the first 40 characters of raw post content from private messages and secure categories to moderators who should not have access. The leaked snippet could reveal sensitive information, thereby violating confidentiality. This vulnerability is a classic example of information disclosure (CWE\u2011200).", "risk_and_exploitability": "The CVSS score of 2.7 indicates a low severity impact. Exploit probability data (EPSS) is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need to be a moderator with access to the admin reports to exploit the leak, and the exposed data is limited to a 40\u2011character preview. While the exploitation requirements are straightforward, the overall risk to the system remains low, but the confidentiality of private messages is compromised and should be addressed promptly."}}}}, "created": "2026-03-20T08:55:21.407374+00:00", "updated": "2026-03-20T11:05:43.686519+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}