Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.
- Sanitize d-popover attributes (CVE-2021-37633)
- Destroy EmailToken when EmailChangeRequest is destroyed (CVE-2021-37693)
- User’s read state for topic is leaked to unauthorized clients (CVE-2021-37703)
- Escape cat name (CVE-2021-39161)