Information disclosure in Discourse - CVE-2021-37703
Published: August 13, 2021 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the unread state message handling when processing server-published unread state messages. A remote attacker can trigger a victim client to receive a message that exposes a user's read state to disclose sensitive information.
User interaction is required.