Command injection in Discourse - CVE-2025-59337
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to command injection in the backup restore functionality when restoring a crafted backup dump containing malicious meta-commands. A remote user can embed malicious meta-commands in a backup dump to disclose sensitive information.
In multisite environments, exploitation can allow access to data or credentials from other sites.