Vulnerability Details CVE-2025-22601
Discourse is an open source platform for community discussion. In affected versions an attacker can trick a target user to make changes to their own username via carefully crafted link using the `activate-account` route. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.7%
CVSS Severity
CVSS v3 Score 3.1
Products affected by CVE-2025-22601
-
cpe:2.3:a:discourse:discourse:1.1.0
-
cpe:2.3:a:discourse:discourse:1.2.0
-
cpe:2.3:a:discourse:discourse:1.3.0
-
cpe:2.3:a:discourse:discourse:1.4.0
-
cpe:2.3:a:discourse:discourse:1.5.0
-
cpe:2.3:a:discourse:discourse:1.6.0
-
cpe:2.3:a:discourse:discourse:1.7.0
-
cpe:2.3:a:discourse:discourse:1.8.0
-
cpe:2.3:a:discourse:discourse:1.9.0
-
cpe:2.3:a:discourse:discourse:2.0.0
-
cpe:2.3:a:discourse:discourse:2.1.0
-
cpe:2.3:a:discourse:discourse:2.2.0
-
cpe:2.3:a:discourse:discourse:2.3.0
-
cpe:2.3:a:discourse:discourse:2.4.0
-
cpe:2.3:a:discourse:discourse:2.5.0
-
cpe:2.3:a:discourse:discourse:2.6.0
-
cpe:2.3:a:discourse:discourse:2.7.0
-
cpe:2.3:a:discourse:discourse:2.8.0
-
cpe:2.3:a:discourse:discourse:2.9.0
-
cpe:2.3:a:discourse:discourse:3.0.0
-
cpe:2.3:a:discourse:discourse:3.1.0
-
cpe:2.3:a:discourse:discourse:3.2.0
-
cpe:2.3:a:discourse:discourse:3.3.0
-
cpe:2.3:a:discourse:discourse:3.4.0