What is the CVSS score of EUVD-2026-36560?

EUVD-2026-36560 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for EUVD-2026-36560?

Yes, a patch is available for EUVD-2026-36560. Update the affected software to the latest version immediately.

Discourse EUVD-2026-36560

| CVE-2026-47263 MEDIUM

Information Exposure (CWE-200)

2026-06-12 GitHub_M

Information Disclosure Discourse

4.3

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

vuln.today AI

5.3 MEDIUM

Network-accessible with no complexity, no privileges, and no user interaction needed; confidentiality impact is low and integrity/availability are unaffected.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Jun 12, 2026 - 22:01 EUVD

Analysis Generated

Jun 12, 2026 - 21:30 vuln.today

DescriptionCVE.org

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the MessageBus.publish call for /web_hook_events/<id> in Jobs::RedeliverWebHookEvents did not pass group_ids, leaving the channel readable by any authenticated user (or anonymous user on instances where login_required is disabled). Webhook IDs are sequential integers and trivially enumerable. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

AnalysisAI

Unauthorized access to webhook event data in Discourse exposes internal webhook payloads to any authenticated user - or unauthenticated users on instances with login_required disabled - across versions 2026.1.0 through several branch heads. The flaw resides in the MessageBus channel /web_hook_events/<id>, which the Jobs::RedeliverWebHookEvents job publishes to without enforcing group_id restrictions, allowing unrestricted channel subscription. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access Discourse instance (authenticated or anonymous)

Delivery

Discover or guess sequential webhook event IDs

Exploit

Subscribe to /web_hook_events/<id> MessageBus channel

Execution

Receive unrestricted webhook event payload

Impact

Enumerate additional IDs to harvest full webhook history

Access

Access Discourse instance (authenticated or anonymous)

Delivery

Discover or guess sequential webhook event IDs

Exploit

Subscribe to /web_hook_events/<id> MessageBus channel

Execution

Receive unrestricted webhook event payload

Impact

Enumerate additional IDs to harvest full webhook history

Vulnerability AssessmentAI

Exploitation	On Discourse instances where login_required is disabled (the default for many public communities): no authentication is required - anonymous users can subscribe to any /web_hook_events/<id> channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The vendor-assigned CVSS score of 4.3 (Medium) uses AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker - authenticated or anonymous depending on instance configuration - subscribes to the Discourse MessageBus channel /web_hook_events/1, /web_hook_events/2, and so on, iterating sequential integer IDs to retrieve webhook event payloads. Because webhook IDs are sequential integers with no per-channel authorization check, the attacker harvests event data (potentially including integration tokens, payload bodies, or system event details) across all redelivered webhook events without any elevated privileges. …
Remediation	Vendor-released patches are confirmed in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 - upgrade to the appropriate patched release for your branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-44786 HIGH This Week

7.5 Jun 12

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa

CVE-2026-45775 MEDIUM This Month

6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi

CVE-2026-44784 MEDIUM This Month

6.5 Jun 12

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m

CVE-2026-44783 MEDIUM This Month

5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte

CVE-2026-45085 MEDIUM This Month

5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both

EUVD-2026-36560 vulnerability details – vuln.today

Back

Discourse EUVD-2026-36560

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Share

External POC / Exploit Code