Discourse vulnerabilities: known CVEs & security history
Discourse · Collaboration · 252 tracked CVEs · 0 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Discourse release lines — 252 in total. A CVE here doesn't mean your version is affected — check Discourse's current status and the safe version to run.
Known Discourse CVEs
Actively-exploited and most-severe first. Showing the top 80 of 252. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2021-41163 | critical | 10 | 20% | 2021 |
| CVE-2025-53102 | critical | 9.8 | 0% | 2025 |
| CVE-2025-48877 | critical | 9.8 | 0% | 2025 |
| CVE-2022-36066 | critical | 9.1 | 2% | 2022 |
| CVE-2022-39356 | high | 8.9 | 1% | 2022 |
| CVE-2023-22468 | high | 8.8 | 1% | 2023 |
| CVE-2023-48297 | high | 8.6 | 1% | 2024 |
| CVE-2023-23621 | high | 8.6 | 1% | 2023 |
| CVE-2025-23023 | high | 8.2 | 0% | 2025 |
| CVE-2024-55948 | high | 8.2 | 0% | 2025 |
| CVE-2024-47773 | high | 8.2 | 2% | 2024 |
| CVE-2024-45051 | high | 8.2 | 0% | 2024 |
| CVE-2025-48954 | high | 8.1 | 1% | 2025 |
| CVE-2021-32764 | high | 8.1 | 1% | 2021 |
| CVE-2023-43659 | high | 8 | 0% | 2023 |
| CVE-2023-22454 | high | 8 | 1% | 2023 |
| CVE-2025-68662 | high | 7.6 | 0% | 2026 |
| CVE-2022-39241 | high | 7.6 | 1% | 2022 |
| CVE-2026-44786 | high | 7.5 | 0% | 2026 |
| CVE-2026-33427 | high | 7.5 | 0% | 2026 |
| CVE-2026-29072 | high | 7.5 | 0% | 2026 |
| CVE-2026-27934 | high | 7.5 | 0% | 2026 |
| CVE-2026-26265 | high | 7.5 | 0% | 2026 |
| CVE-2026-26078 | high | 7.5 | 0% | 2026 |
| CVE-2026-23743 | high | 7.5 | 0% | 2026 |
| CVE-2025-49845 | high | 7.5 | 0% | 2025 |
| CVE-2025-48053 | high | 7.5 | 0% | 2025 |
| CVE-2024-53991 | high | 7.5 | 25% | 2024 |
| CVE-2024-43789 | high | 7.5 | 0% | 2024 |
| CVE-2024-35227 | high | 7.5 | 1% | 2024 |
| CVE-2023-47120 | high | 7.5 | 1% | 2023 |
| CVE-2023-45131 | high | 7.5 | 2% | 2023 |
| CVE-2023-44388 | high | 7.5 | 1% | 2023 |
| CVE-2021-41082 | high | 7.5 | 2% | 2021 |
| CVE-2021-3138 | high | 7.5 | 3% | 2021 |
| CVE-2021-37633 | high | 7.4 | 1% | 2021 |
| CVE-2019-1020018 | high | 7.3 | 1% | 2019 |
| CVE-2022-36068 | high | 7.2 | 1% | 2022 |
| CVE-2022-37458 | high | 7.2 | 1% | 2022 |
| CVE-2025-68479 | high | 7.1 | 0% | 2026 |
| CVE-2025-48062 | high | 7.1 | 0% | 2025 |
| CVE-2022-46148 | high | 7.1 | 0% | 2022 |
| CVE-2025-68933 | medium | 6.9 | 0% | 2026 |
| CVE-2026-45775 | medium | 6.8 | 0% | 2026 |
| CVE-2025-59337 | medium | 6.8 | 0% | 2025 |
| CVE-2024-52794 | medium | 6.8 | 0% | 2024 |
| CVE-2023-37467 | medium | 6.8 | 0% | 2023 |
| CVE-2023-36473 | medium | 6.8 | 0% | 2023 |
| CVE-2023-22455 | medium | 6.8 | 0% | 2023 |
| CVE-2021-43850 | medium | 6.8 | 1% | 2022 |
| CVE-2026-44784 | medium | 6.5 | 0% | 2026 |
| CVE-2026-33300 | medium | 6.5 | 0% | 2026 |
| CVE-2026-32143 | medium | 6.5 | 0% | 2026 |
| CVE-2026-33428 | medium | 6.5 | 0% | 2026 |
| CVE-2026-30891 | medium | 6.5 | 0% | 2026 |
| CVE-2026-33355 | medium | 6.5 | 0% | 2026 |
| CVE-2026-28282 | medium | 6.5 | 0% | 2026 |
| CVE-2026-27935 | medium | 6.5 | 0% | 2026 |
| CVE-2026-27149 | medium | 6.5 | 0% | 2026 |
| CVE-2026-26077 | medium | 6.5 | 0% | 2026 |
| CVE-2026-24742 | medium | 6.5 | 0% | 2026 |
| CVE-2026-21865 | medium | 6.5 | 0% | 2026 |
| CVE-2025-69218 | medium | 6.5 | 0% | 2026 |
| CVE-2025-68934 | medium | 6.5 | 0% | 2026 |
| CVE-2025-68666 | medium | 6.5 | 0% | 2026 |
| CVE-2025-22602 | medium | 6.5 | 0% | 2025 |
| CVE-2024-56328 | medium | 6.5 | 0% | 2025 |
| CVE-2024-47772 | medium | 6.5 | 0% | 2024 |
| CVE-2024-27100 | medium | 6.5 | 1% | 2024 |
| CVE-2024-27085 | medium | 6.5 | 1% | 2024 |
| CVE-2023-41043 | medium | 6.5 | 1% | 2023 |
| CVE-2023-40588 | medium | 6.5 | 1% | 2023 |
| CVE-2023-38706 | medium | 6.5 | 1% | 2023 |
| CVE-2023-36818 | medium | 6.5 | 1% | 2023 |
| CVE-2023-26040 | medium | 6.5 | 0% | 2023 |
| CVE-2023-25167 | medium | 6.5 | 1% | 2023 |
| CVE-2023-22739 | medium | 6.5 | 1% | 2023 |
| CVE-2022-23548 | medium | 6.5 | 1% | 2023 |
| CVE-2022-39385 | medium | 6.5 | 0% | 2022 |
| CVE-2022-39232 | medium | 6.5 | 1% | 2022 |
172 older / lower-severity CVEs not shown — see Discourse's full record.
Is my Discourse version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Discourse version → · Monitor Discourse for new CVEs →
Discourse vulnerabilities — frequently asked
How many known vulnerabilities does Discourse have?
IsItPatched tracks 252 CVEs for Discourse. 4 are critical-severity and 38 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Discourse have any actively-exploited vulnerabilities?
None of Discourse's tracked CVEs are currently in CISA's KEV catalog — but new ones can be added at any time, so keep your version current.
What is the most severe Discourse vulnerability?
Among tracked issues, CVE-2021-41163 (CRITICAL, CVSS 10) ranks highest — a Injection weakness.
Is Discourse safe to use?
It depends on the version. The latest supported Discourse release (2026.5.0) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Discourse security status · Discourse end-of-life · actively-exploited CVEs. Always verify against Discourse's advisories — see our disclaimer.