v2025.12.1 → v2025.12.2
Security Fixes
Prevent moderators from exporting user Chat DMs
DM communication-preference bypass when adding members
Lack of post access check in discourse-policy
IDOR vulnerability in the directory items endpoint
Scope reviewable notes to user-visible reviewables
Poll voters endpoint lacked post visibility checks
Authentication bypass vulnerability in the Patreon plugin webhook endpoint
TL4 users are able to change status of restricted topics
Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution
Ensures webhooks require a token
Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category
Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners