{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T11:46:40.644","vulnerabilities":[{"cve":{"id":"CVE-2026-27021","sourceIdentifier":"security-advisories@github.com","published":"2026-02-26T21:28:53.927","lastModified":"2026-03-02T21:31:27.027","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available."},{"lang":"es","value":"Discourse es una plataforma de discusión de código abierto. Antes de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, el endpoint de votantes en el plugin de encuestas carecía de comprobaciones de visibilidad de publicaciones, lo que permitía el acceso no autorizado a los detalles de los votantes de las encuestas en cualquier publicación. Las versiones 2025.12.2, 2026.1.1 y 2026.2.0 parchean el problema. No se conocen soluciones alternativas disponibles."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*","versionEndExcluding":"2025.12.0","matchCriteriaId":"6DB837D7-28C8-4E0F-B55F-AAAA36F32035"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*","versionStartIncluding":"2026.1.0","versionEndExcluding":"2026.1.1","matchCriteriaId":"1CAFCC9D-53D7-4017-85A5-EE6CA5A6A11C"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*","matchCriteriaId":"BB002FDC-BC71-4C46-8AAF-A34EC717E0E7"}]}]}],"references":[{"url":"https://github.com/discourse/discourse/security/advisories/GHSA-f5m5-9hpw-7c2g","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}