CVE-2026-49256

MEDIUM

CVSS v4.0: 6.3

NetworkNo privilegesNo user interactionInformation ExposureVendor advisory ref

Source data as of:

At a glance

Severity
MEDIUM
CVSS
6.3 v4.0 · NVD
EPSS
EPSS not provided by FIRST.org for this CVE
CISA KEV
No
Type
Information Exposure · NVD CWE
Attack conditions (CVSS vector)
NetworkNo privilegesNo user interaction · Source: NVD Vector
Published
2026-07-09 · Modified: 2026-07-09

CVSS / EPSS / KEV

CVSS v4.0 6.3 / 10 MEDIUM Source: NVD
EPSS EPSS not provided by FIRST.org for this CVE Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

Record details

CVE ID
CVE-2026-49256
CVSS (v4.0)
6.3 (MEDIUM)
Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA KEV
No
Weakness (CWE)
CWE-200
Affected configurations (CPE)
0
Published
2026-07-09
Modified
2026-07-09
Status
Received

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.