v2026.1.0 → v2026.1.1
Security Fixes
XSS when editing a malicious post
Prevent moderators from exporting user Chat DMs
Validate destination topic when moving posts
Prevents whispers to leak in excerpts
DM communication-preference bypass when adding members
Ensure guardian check when creating QueryGroupBookmark
SQL injection in PM tag filtering
Lack of post access check in discourse-policy
IDOR vulnerability in the directory items endpoint
Scope reviewable notes to user-visible reviewables
Poll voters endpoint lacked post visibility checks
Authentication bypass vulnerability in the Patreon plugin webhook endpoint
TL4 users are able to change status of restricted topics
Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution
Ensures webhooks require a token
Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category
Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners