If a topic has hundreds (or thousands!) of posts, any user, including a guest, can make each and every one of those posts display on a single page by manipulating limit parameter in the url, regardless of the default "Posts per page" setting in the backend. This can potentially cripple a server in very short time. Adding an option in the backend that sets a maximum number of displayed posts could prevent this from being a problem. For example, in the Security tab:
"Max number of posts per page:"
followed by a number field.
Hey wait, I just had a better idea! What if Kunena ignores the limit= parameter in the url and always uses the existing "Posts per page" value in the backend, UNLESS the user has moderator privileges for the topic he's reading/moderating? Then the vulnerability disappears completely, no new backend option needs to be added, and trusted moderators are unlikely to abuse the privilege but they can still increase the number of displayed posts to ease moderation.
I'm making a simple fix of restricting max number of posts to default*2.
[#174] Set upper limit to number of posts displayed