rubygems

965 tracked vulnerabilities.

CVE-2026-54297 HIGH
Faraday NestedParamsEncoder < 1.10.6/2.14.3 - Stack Exhaustion DoS
Jun 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-47242 MEDIUM
Net::IMAP: Command Injection via ID command argument
Jun 22, 2026
EPSS 0.00
CVE-2026-47241 LOW
Net::IMAP: Denial of Service via incomplete raw argument validation
Jun 22, 2026
EPSS 0.00
CVE-2026-47240 MEDIUM
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Jun 22, 2026
EPSS 0.00
CVE-2026-49342 MEDIUM
YARD static cache reads raw traversal paths before router sanitization
Jun 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-12515 MEDIUM
Katello: missing repository authorization in content_uploads exposes cross-product content existence
Jun 17, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44587 MEDIUM
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
Jun 17, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44837 MEDIUM
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
May 26, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-44836 MEDIUM
view_component: Preview Route Can Dispatch Inherited Helper Methods
May 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-40295 MEDIUM
Devise: Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
May 22, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33637 NONE
Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)
May 19, 2026
EPSS 0.00
CVE-2026-44511 HIGH
Katalyst Koi: Session cookies can be replayed after user logout
May 14, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-44312 MEDIUM
css_parser allows to MITM included https css urls
May 14, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-42258 MEDIUM
net-imap: Command Injection via unvalidated Symbol inputs
May 09, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-42257 CRITICAL
net-imap: Command Injection via "raw" arguments to multiple commands
May 09, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42256 MEDIUM
net-imap: Denial of service via high iteration count for `SCRAM-*` authentication
May 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42246 HIGH
net-imap vulnerable to STARTTLS stripping via invalid response timing
May 09, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-42245 HIGH
net-imap: Quadratic complexity when reading response literals
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42205 HIGH
Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources
May 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41493 HIGH
yard: Possible arbitrary path traversal and file access via yard server
May 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42087 CRITICAL
OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Base
May 04, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-42086 MEDIUM
OpenC3 COSMOS: Self-XSS in the Command Sender
May 04, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-42085 MEDIUM
OpenC3 COSMOS: Arbitrary write to plugins directory via path-traversed config filenames
May 04, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-42084 HIGH
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
May 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41316 HIGH
ERB def_module/def_method/def_class - Deserialization Guard Bypass
Apr 24, 2026
CVSS 8.1
EPSS 0.01