Unrated severityNVD Advisory· Published Jan 5, 2023· Updated Mar 10, 2025

Discourse vulnerable to bypass of post max_length using HTML comments

CVE-2022-23549

Description

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta16 on the beta and tests-passed branches, users can create posts with raw body longer than the max_length site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

Affected products

Discourse (software)/Discoursev5
Range: 2.8.14

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8mitre
github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xpmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000