QwikSec

Security Database

CVE

CWE

Training

CVE-2026-27149

Published: Feb 26, 2026

Modified: Mar 3, 2026

PUBLISHED

Description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Vendor	Product	Versions
discourse	discourse	affected `< 2025.12.2` affected `>= 2026.1.0-latest, < 2026.1.1` affected `>= 2026.2.0-latest, < 2026.2.0`

Weaknesses (CWE)

References

https://github.com/discourse/discourse/security/advisories/GHSA-m6qf-h49w-h38w

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.