CVE-2025-68479

EUVD-2025-206451
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
GitHub_MCNA
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
discoursediscourse
𝑥
< 3.5.4
discoursediscourse
2025.11.0 ≤
𝑥
< 2025.11.2
discoursediscourse
2025.12.0
discoursediscourse
2026.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327