Information disclosure in Discourse - CVE-2026-33394
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the Post Edits admin report (/admin/reports/post_edits) when displaying post edit data. A remote privileged user can view the report to disclose sensitive information.
The issue exposed the first 40 characters of raw post content from private messages and secure categories to moderators without access to that content.