CVE-2026-34947

| EUVD-2026-18882 LOW
2026-04-03 GitHub_M
2.7
CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
EUVD ID Assigned
Apr 03, 2026 - 22:15 euvd
EUVD-2026-18882
CVE Published
Apr 03, 2026 - 21:27 nvd
LOW 2.7

Tags

Information Disclosure

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Analysis

Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-beta expose staged user custom fields and usernames on public invite pages without requiring email verification. An unauthenticated remote attacker can enumerate user information and custom field data by accessing public invitation links, potentially gathering sensitive user attributes before account activation. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

14
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +14
POC: 0

Share

CVE-2026-34947 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy