diff --git a/CHANGELOG.md b/CHANGELOG.md
index b79217324..e82d99ed8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ### Notable enhancements and fixes
 
+* Security
+  * Limit requested revisions in timeslider and export to head revision. (affects v1.9.0)
+
 * Bugfixes
   * revisions in `CHANGESET_REQ` (timeslider) and export (txt, html, custom)
     are now checked to be numbers.
diff --git a/src/node/db/Pad.js b/src/node/db/Pad.js
index b692962f1..a9c87541f 100644
--- a/src/node/db/Pad.js
+++ b/src/node/db/Pad.js
@@ -172,6 +172,9 @@ class Pad {
 
   async getInternalRevisionAText(targetRev) {
     const keyRev = this.getKeyRevisionNumber(targetRev);
+    const headRev = this.getHeadRevisionNumber();
+    if (targetRev > headRev)
+      targetRev = headRev;
     const [keyAText, changesets] = await Promise.all([
       this._getKeyRevisionAText(keyRev),
       Promise.all(