Security News > 2021 > October > CISA Urges Sites to Patch Critical RCE in Discourse
Discourse - the ultra-popular, widely deployed open-source community forum and mailing list management platform - has a critical remote code-execution bug that was fixed in an urgent update on Friday.
Discourse is widely used and wildly popular, being known for topping competing forum software platforms in terms of usability.
The issue has been patched in the latest beta, stable and tests-passed versions of Discourse.
The researcher, "Joernchen," told BleepingComputer that he reported the issue to the Discourse team immediately upon finding it on Oct. 10 and that the patch itself made it easy to figure out how an exploit would work.
Although the software-as-a-service versions of Discourse were fixed as of Wednesday, there might still be many vulnerable deployments.
Threatpost has reached out to Discourse for more details and to ask whether or not the team has seen any signs that the RCE has been exploited in the wild.
News URL
https://threatpost.com/cisa-critical-rce-discourse/175705/
Related news
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- CISA Warns of Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw (source)
- CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- CISA extends funding to ensure 'no lapse in critical CVE services' (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)