Unrated severityNVD Advisory· Published Sep 29, 2022· Updated Apr 23, 2025
Discourse user profile location and website fields were not sufficiently length-limited
CVE-2022-39226
Description
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other users when loading that profile. A fix to limit the length of user input for these fields is included in version 2.8.9 on the stable branch and version 2.9.0.beta10 on the beta and tests-passed branches. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3<2.8.9 (stable) or <2.9.0.beta10 (beta / tests-passed)+ 1 more
- (no CPE)range: <2.8.9 (stable) or <2.9.0.beta10 (beta / tests-passed)
- (no CPE)range: < 2.8.9
Patches
Vulnerability mechanics
References
3- github.com/discourse/discourse/commit/e69f7d2fd9c977dedbdb17f6813651e2a45bfb71mitrex_refsource_MISC
- github.com/discourse/discourse/pull/18302mitrex_refsource_MISC
- github.com/discourse/discourse/security/advisories/GHSA-jw3q-xg5g-qjrwmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.