For more information on all the changes released in 2026.6, check out:
Patch releases for other supported versions have also been released:
For more information on all the changes released in 2026.6, check out:
Patch releases for other supported versions have also been released:
The mentioned CVEs in the security fixes do not appear to be related toe Discourse.
Take for example this one:
CVE-2026-46413 Regular users can route multipart uploads into the admin backup store
Which links to this GHSA entry: Regular users can route multipart uploads into the admin backup store · Advisory · discourse/discourse · GitHub
But CVE-2026-46413 is about an issue in BUFFALO Wi-Fi router: NVD - CVE-2025-46413
CVE-2026-49256 Hidden tag names leaked via category serializers
GHSA entry: Hidden tag names leaked via category serializers · Advisory · discourse/discourse · GitHub
But CVE-2026-49256 is about an bug in PillarJS’ path-to-regexp: NVD - CVE-2026-4926
Which is used by Discourse, but the bug talks about something on the Ruby side.
CVE-2026-44787 Signup-time primary_group_id assignment grants whisperer access
GHSA entry: Signup-time primary_group_id assignment grants whisperer access · Advisory · discourse/discourse · GitHub
But CVE-2026-44787 is about Apache APISIX: NVD - CVE-2026-44087
Your links are actually all wrong (they’re pointing to different numbers). I guess our CVEs are not propagated yet?
oh ffs… useless google search. My bad, I could have sworn searching like that used to work. (And I probably needed a bit more coffee)