Unrated severityNVD Advisory· Published Sep 29, 2022· Updated Apr 23, 2025

Discourse user profile location and website fields were not sufficiently length-limited

CVE-2022-39226

Description

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other users when loading that profile. A fix to limit the length of user input for these fields is included in version 2.8.9 on the stable branch and version 2.9.0.beta10 on the beta and tests-passed branches. There are no known workarounds.

Affected products

Discourse (software)/Discoursev5
Range: < 2.8.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/e69f7d2fd9c977dedbdb17f6813651e2a45bfb71mitrex_refsource_MISC
github.com/discourse/discourse/pull/18302mitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-jw3q-xg5g-qjrwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000