June 2026 monthly release

For more information on all the changes released in 2026.6, check out:

Patch releases for other supported versions have also been released:

8 Likes

The mentioned CVEs in the security fixes do not appear to be related toe Discourse.

Take for example this one:

CVE-2026-46413 Regular users can route multipart uploads into the admin backup store

Which links to this GHSA entry: Regular users can route multipart uploads into the admin backup store · Advisory · discourse/discourse · GitHub

But CVE-2026-46413 is about an issue in BUFFALO Wi-Fi router: NVD - CVE-2025-46413

CVE-2026-49256 Hidden tag names leaked via category serializers

GHSA entry: Hidden tag names leaked via category serializers · Advisory · discourse/discourse · GitHub

But CVE-2026-49256 is about an bug in PillarJS’ path-to-regexp: NVD - CVE-2026-4926

Which is used by Discourse, but the bug talks about something on the Ruby side.

CVE-2026-44787 Signup-time primary_group_id assignment grants whisperer access

GHSA entry: Signup-time primary_group_id assignment grants whisperer access · Advisory · discourse/discourse · GitHub

But CVE-2026-44787 is about Apache APISIX: NVD - CVE-2026-44087

2 Likes

Your links are actually all wrong (they’re pointing to different numbers). I guess our CVEs are not propagated yet?

4 Likes

oh ffs… useless google search. My bad, I could have sworn searching like that used to work. (And I probably needed a bit more coffee)

4 Likes