Exploit Intelligence Platform

CVE-2025-24293 1 PoC Analysis EPSS 0.00

Rubygems Activestorage < 8.0.2.1 - Command Injection

# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this!

CWE-94 Jan 30, 2026

CVE-2026-23885 6.4 MEDIUM 1 PoC Analysis EPSS 0.00

Alchemy <7.4.12,8.0.3 - Code Injection

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`.

CWE-95 Jan 19, 2026

CVE-2011-10026 9.8 CRITICAL 2 PoCs Analysis EPSS 0.65

Spree < 0.50.1 - OS Command Injection

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server.

CWE-78 Aug 20, 2025

CVE-2011-10019 9.8 CRITICAL 2 PoCs Analysis EPSS 0.69

Spree < 0.60.2 - Code Injection

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.

CWE-94 Aug 13, 2025

CVE-2025-54887 9.1 CRITICAL 1 PoC Analysis EPSS 0.00

jwe <1.1.0 - Confidentiality Disclosure

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk because JWEs can be modified to decrypt to an arbitrary value, decrypted by observing parsing differences and the GCM internal GHASH key can be recovered. Users are affected by this vulnerability even if they do not use an AES-GCM encryption algorithm for their JWEs. As the GHASH key may have been leaked, users must rotate the encryption keys after upgrading. This issue is fixed in version 1.1.1.

CWE-354 Aug 08, 2025

CVE-2025-2304 17 PoCs Analysis EPSS 0.00

Rubygems Camaleon Cms < 2.9.1 - Privilege Escalation

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.

CWE-915 Mar 14, 2025

CVE-2025-25291 9.8 CRITICAL 1 PoC 1 Writeup Analysis NUCLEI EPSS 0.14

ruby-saml <1.12.4,1.18.0 - Auth Bypass

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

CWE-436 Mar 12, 2025

CVE-2025-27590 9.0 CRITICAL 1 PoC Analysis EPSS 0.01

Oxidized Web < 0.15.0 - Path Traversal

In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web.

CWE-22 Mar 03, 2025

CVE-2024-48652 4.8 MEDIUM 1 PoC Analysis EPSS 0.29

Tuzitio Camaleon Cms - XSS

Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field.

CWE-79 Oct 22, 2024

CVE-2024-45614 5.4 MEDIUM 1 PoC Analysis EPSS 0.01

Puma < 5.6.9 - HTTP Request Smuggling

Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.

CWE-639 Sep 19, 2024

CVE-2024-46987 7.7 HIGH 9 PoCs Analysis EPSS 0.00

Tuzitio Camaleon Cms < 2.8.2 - Information Disclosure

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE-22 Sep 18, 2024

CVE-2024-46986 9.9 CRITICAL 1 PoC Analysis NUCLEI EPSS 0.92

Tuzitio Camaleon Cms < 2.8.2 - Path Traversal

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE-22 Sep 18, 2024

CVE-2024-45409 10.0 CRITICAL EXPLOITED 2 PoCs Analysis NUCLEI EPSS 0.41

Ruby-SAML <=1.16.0 - Auth Bypass

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

CWE-347 Sep 10, 2024

CVE-2024-39908 4.3 MEDIUM 1 PoC Analysis EPSS 0.07

Ruby-lang Rexml < 3.3.2 - Denial of Service

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

CWE-400 Jul 16, 2024

CVE-2024-35176 5.3 MEDIUM 1 PoC Analysis EPSS 0.07

Ruby-lang Rexml < 3.2.7 - Denial of Service

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

CWE-770 May 16, 2024

CVE-2024-26144 5.3 MEDIUM 2 PoCs Analysis EPSS 0.02

Rails < 6.1.7.7 - Information Disclosure

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

CWE-200 Feb 27, 2024

CVE-2024-22411 6.5 MEDIUM 1 PoC Analysis EPSS 0.06

Avo <3 pre12 - XSS

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

CWE-79 Jan 16, 2024

CVE-2023-31606 7.5 HIGH 2 PoCs Analysis EPSS 0.01

redcloth gem <4.0.0 - DoS

A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

CWE-1333 Jun 06, 2023

CVE-2023-30145 9.8 CRITICAL 2 PoCs Analysis EPSS 0.53

Tuzitio Camaleon Cms < 2.7.0 - Code Injection

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

CWE-94 May 26, 2023

CVE-2022-36231 9.8 CRITICAL 1 PoC Analysis EPSS 0.09

pdf_info 0.5.3 - Command Injection

pdf_info 0.5.3 is vulnerable to Command Execution because the Ruby code uses backticks instead of Open3.

CWE-78 Feb 23, 2023

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps