I believe the discourse team could do a better job at transparency over security issues. The last one only says:
This beta includes 1 security fix for issues reported by our community and HackerOne 8.
- Prefer Loofah for processing cooked HTML
And I was not able to find said report on HackerOne.
Ideally the release would include a link to the HackerOne report and the severity of the security issue at hand.