CVE-2025-47288

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-47288

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47288.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-47288

Aliases

GHSA-jc5r-rm2j-mh4x

Published

2025-05-29T19:25:49.798Z

Modified

2026-04-02T12:49:43.945497Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Discourse Policy plugin private group members visible

Details

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1. A workaround involves moving any policy topics with private groups to restricted categories.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47288.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/discourse/discourse-policy

Affected ranges

Type: GIT
Repo: https://github.com/discourse/discourse-policy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6b4390fe486408cc86ccea6b091406cfac6c5b8f

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47288.json"