Security News > 2021 > October > CISA urges admins to patch critical Discourse code execution bug
A critical Discourse remote code execution vulnerability tracked as CVE-2021-41163 was fixed via an urgent update by the developer on Friday.
Discourse is an open-source forum, long-form chat, and mailing list management platform widely deployed on the web, offering excellent usability and integration potential while focusing heavily on social features.
According to official stats, Discourse was used to publish 3.5 million posts viewed by 405 million users in September 2021 alone.
Because of Discourse's widespread use, CISA also published an alert about the flaw, urging forum admins to update to the latest available version or apply the necessary workarounds.
A Shodan search has returned 8,641 Discourse deployments, many of which could still be exposed to RCE exploitation potential.
The researcher who discovered the flaw told BleepingComputer that he reported the problem to the Discourse team immediately, on October 10, 2021.
News URL
Related news
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- CISA orders agencies to patch BeyondTrust bug exploited in attacks (source)
- Rsync vulnerabilities allow remote code execution on servers, patch quickly! (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-20 | CVE-2021-41163 | Injection vulnerability in Discourse Discourse is an open source platform for community discussion. | 9.8 |