rubygems
954 tracked vulnerabilities.
CVE-2026-44511
HIGH
Katalyst Koi: Session cookies can be replayed after user logout
May 14, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-44312
MEDIUM
css_parser allows to MITM included https css urls
May 14, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-42258
CRITICAL
net-imap: Command Injection via unvalidated Symbol inputs
May 09, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42257
CRITICAL
net-imap: Command Injection via "raw" arguments to multiple commands
May 09, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42256
MEDIUM
net-imap: Denial of service via high iteration count for `SCRAM-*` authentication
May 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42246
HIGH
net-imap vulnerable to STARTTLS stripping via invalid response timing
May 09, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-42245
HIGH
net-imap: Quadratic complexity when reading response literals
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42205
HIGH
Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources
May 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41493
HIGH
yard: Possible arbitrary path traversal and file access via yard server
May 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42087
CRITICAL
OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Base
May 04, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-42086
MEDIUM
OpenC3 COSMOS: Self-XSS in the Command Sender
May 04, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-42085
MEDIUM
OpenC3 COSMOS: Arbitrary write to plugins directory via path-traversed config filenames
May 04, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-42084
HIGH
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
May 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41316
HIGH
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
Apr 24, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41146
HIGH
facil.io and downstream iodine ruby gem vulnerable to uncontrolled resource consumption and loop with unreachable exit condition
Apr 22, 2026
EPSS 0.00
CVE-2026-40869
HIGH
Decidim amendments can be accepted or rejected by anyone
Apr 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-27820
CRITICAL
zlib: Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption
Apr 16, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-23891
HIGH
Decidim <0.30.5 and <0.31.1 User Name - Stored Cross-Site Scripting
Apr 13, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-40070
HIGH
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40069
HIGH
bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39324
CRITICAL
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Apr 07, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-35611
HIGH
Addressable has a Regular Expression Denial of Service in Addressable templates
Apr 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35201
MEDIUM
Discount has an Out-of-bounds Read in rdiscount
Apr 06, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34835
MEDIUM
Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34827
HIGH
Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser
Apr 02, 2026
CVSS 7.5
EPSS 0.00
Products
actionpack 63
rack 50
nokogiri 34
rubygems 25
rubygems-update 25
activerecord 23
puppet 23
activesupport 17
publify_core 15
passenger 14
rails-html-sanitizer 14
actionview 13
decidim 12
puma 12
camaleon_cms 11
fat_free_crm 11
rails 11
activestorage 10
ruby-saml 10
jquery-rails 9
openc3 8
rexml 8
bootstrap 7
bootstrap-sass 7
jquery-ui-rails 7
katello 7
lodash-rails 7
net-imap 7
spree 7
avo 6
Quick Filters