Vulnerability Description
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 3.5.4 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6wThird Party AdvisoryMitigation
FAQ
What is CVE-2025-69218?
CVE-2025-69218 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admi...
How severe is CVE-2025-69218?
CVE-2025-69218 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-69218?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.