diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb
index ff6d31efe9f..12d58237a11 100644
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@@ -247,13 +247,17 @@ class TagsController < ::ApplicationController
     filter_params = {
       for_input: params[:filterForInput],
       selected_tags: params[:selected_tags],
-      limit: params[:limit],
       exclude_synonyms: params[:excludeSynonyms],
       exclude_has_synonyms: params[:excludeHasSynonyms],
     }
 
-    if filter_params[:limit] && filter_params[:limit].to_i < 0
-      raise Discourse::InvalidParameters.new(:limit)
+    if params[:limit]
+      begin
+        filter_params[:limit] = Integer(params[:limit])
+        raise Discourse::InvalidParameters.new(:limit) if !filter_params[:limit].positive?
+      rescue ArgumentError
+        raise Discourse::InvalidParameters.new(:limit)
+      end
     end
 
     filter_params[:category] = Category.find_by_id(params[:categoryId]) if params[:categoryId]
diff --git a/spec/requests/tags_controller_spec.rb b/spec/requests/tags_controller_spec.rb
index 7cb2c7aa4e0..4e7ffe6ad18 100644
--- a/spec/requests/tags_controller_spec.rb
+++ b/spec/requests/tags_controller_spec.rb
@@ -1112,6 +1112,15 @@ RSpec.describe TagsController do
         )
       end
 
+      it "returns error 400 for suspicious limit" do
+        get "/tags/filter/search.json", params: { q: "", limit: "1; SELECT 1" }
+
+        expect(response.status).to eq(400)
+        expect(response.parsed_body["errors"].first).to eq(
+          I18n.t("invalid_params", message: "limit"),
+        )
+      end
+
       it "includes required tag group information" do
         tag1 = Fabricate(:tag)
         tag2 = Fabricate(:tag)