CVE-2025-69218
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-01-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 3.5.4 (exc) |
| discourse | discourse | From 2025.11.0 (inc) to 2025.11.2 (exc) |
| discourse | discourse | 2025.12.0 |
| discourse | discourse | 2026.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Limit moderator privileges to trusted users until the patch is applied. Upgrade Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 where this issue is patched.
Can you explain this vulnerability to me?
This vulnerability in Discourse allows moderators, who should have limited access, to view the 'top_uploads' admin report that is intended only for admins. This report contains direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments. As a result, moderators can access sensitive information they are not authorized to see.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive data because moderators can access private files and data exports that should be restricted to admins only. This exposure could result in privacy breaches, data leaks, and potential misuse of sensitive user and administrative information.