Discourse Releases

Harden chat DM channel creation and expansion

Filter whisper posts from private-posts feed

Prevent hidden profile data leak via user onebox

Do not leak PM post edits to moderators

Fix loose hostname matching in spam host allowlist

Check revision visibility on posts endpoint

Improper Authorization in "Post Edits" Report For Moderators

HTML injection via prohibited iframe URLs

Stored click‑based XSS via Graphviz SVG javascript: links

Bypass of official warnings messages by non-staff users

Stored XSS in AI Triage Automation

Stored XSS via Shared AI Conversation Onebox

Restricted post-action counts are disclosed to non-privileged users

Private topic title and post excerpt leaked via user action API endpoint

Private topic metadata leaked to non-authorised users

Group membership addition permission bypass via discourse-policy plugin

Missing permission check for policy creation in discourse-policy