CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-32099

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, when a user has `hide_profile` enabled, their bio, location, and website were still exposed through the user onebox preview. An authenticated user could request a onebox for a hidden user's profile URL and receive their hidden profile fields (bio, location, website) in the response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 0.9%

CVSS Severity

CVSS v3 Score 4.3

References

https://github.com/discourse/discourse/security/advisories/GHSA-q83g-cj26-j4x5

Products affected by CVE-2026-32099

Discourse » Discourse » Version: 2026.1.0

cpe:2.3:a:discourse:discourse:2026.1.0
Discourse » Discourse » Version: 2026.2.0

cpe:2.3:a:discourse:discourse:2026.2.0
Discourse » Discourse » Version: 2026.3.0

cpe:2.3:a:discourse:discourse:2026.3.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-32099

Products

Pricing

Contact Us