{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-33393","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-19T17:02:34.169Z","datePublished":"2026-03-19T22:04:26.484Z","dateUpdated":"2026-03-20T20:15:16.294Z"},"containers":{"cna":{"title":"Discourse fixes loose hostname matching in spam host allowlist","problemTypes":[{"descriptions":[{"cweId":"CWE-284","lang":"en","description":"CWE-284: Improper Access Control","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6","tags":["x_refsource_CONFIRM"],"url":"https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6"},{"name":"https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c8446312ac6d2","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c8446312ac6d2"},{"name":"https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a37b8a02","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a37b8a02"},{"name":"https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69497fb8e","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69497fb8e"}],"affected":[{"vendor":"discourse","product":"discourse","versions":[{"version":">= 2026.1.0-latest, < 2026.1.2","status":"affected"},{"version":">= 2026.2.0-latest, < 2026.2.1","status":"affected"},{"version":"= 2026.3.0-latest","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-19T22:04:26.484Z"},"descriptions":[{"lang":"en","value":"Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection when `example.com` was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by `.`) to prevent suffix-based bypass of `newuser_spam_host_threshold`. No known workarounds are available."}],"source":{"advisory":"GHSA-95r5-p6qr-hgw6","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-20T20:15:06.393968Z","id":"CVE-2026-33393","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-20T20:15:16.294Z"}}]}}