hello,
We’ve received an alert from this CVE that an instance of discourse is vulnerable to https://www.cve.org/CVERecord?id=CVE-2022-31096
It is said that the fix is in 2.9.0.beta6 but I’m unable to find and upgrade to that version. Is anyone else having this problem?
You’re right, the patch is there:
https://github.com/discourse/discourse/commit/115859964d6e3e92d6d933ffe8e1b330b12a3aca
but there has not been any bump in version since 
You can upgrade now and that commit will be applied. It’s not a critical security issue, so they didn’t bump the version to push it out.
We do a beta bump for a high severity CVE shortly after the fix is released, but we missed to do that for the last CVE (CVE-2022-31096). We released 2.9.0.beta6 last week (Thursday) so this should be resolved now.