CVE-2026-33408

low-risk
Published 2026-03-19

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.2/10 Low
NETWORK / HIGH complexity

Affected Products (2)

Affected Vendors

Discourse

References (4)

Patch https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe...
Patch https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a...
Patch https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe58940324...
Vendor Advisory https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c
16
/ 100
low-risk
Severity 9/34 · Low
Exploitability 0/34 · Minimal
Exposure 7/34 · Low