rubygems
965 tracked vulnerabilities.
CVE-2026-54297
HIGH
Faraday NestedParamsEncoder < 1.10.6/2.14.3 - Stack Exhaustion DoS
Jun 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-47242
MEDIUM
Net::IMAP: Command Injection via ID command argument
Jun 22, 2026
EPSS 0.00
CVE-2026-47241
LOW
Net::IMAP: Denial of Service via incomplete raw argument validation
Jun 22, 2026
EPSS 0.00
CVE-2026-47240
MEDIUM
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Jun 22, 2026
EPSS 0.00
CVE-2026-49342
MEDIUM
YARD static cache reads raw traversal paths before router sanitization
Jun 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-12515
MEDIUM
Katello: missing repository authorization in content_uploads exposes cross-product content existence
Jun 17, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44587
MEDIUM
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
Jun 17, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44837
MEDIUM
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
May 26, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-44836
MEDIUM
view_component: Preview Route Can Dispatch Inherited Helper Methods
May 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-40295
MEDIUM
Devise: Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
May 22, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33637
NONE
Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)
May 19, 2026
EPSS 0.00
CVE-2026-44511
HIGH
Katalyst Koi: Session cookies can be replayed after user logout
May 14, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-44312
MEDIUM
css_parser allows to MITM included https css urls
May 14, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-42258
MEDIUM
net-imap: Command Injection via unvalidated Symbol inputs
May 09, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-42257
CRITICAL
net-imap: Command Injection via "raw" arguments to multiple commands
May 09, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42256
MEDIUM
net-imap: Denial of service via high iteration count for `SCRAM-*` authentication
May 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42246
HIGH
net-imap vulnerable to STARTTLS stripping via invalid response timing
May 09, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-42245
HIGH
net-imap: Quadratic complexity when reading response literals
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42205
HIGH
Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources
May 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41493
HIGH
yard: Possible arbitrary path traversal and file access via yard server
May 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42087
CRITICAL
OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Base
May 04, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-42086
MEDIUM
OpenC3 COSMOS: Self-XSS in the Command Sender
May 04, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-42085
MEDIUM
OpenC3 COSMOS: Arbitrary write to plugins directory via path-traversed config filenames
May 04, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-42084
HIGH
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence
May 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41316
HIGH
ERB def_module/def_method/def_class - Deserialization Guard Bypass
Apr 24, 2026
CVSS 8.1
EPSS 0.01
Products
actionpack 63
rack 50
nokogiri 34
rubygems 25
rubygems-update 25
activerecord 23
puppet 23
activesupport 17
publify_core 15
passenger 14
rails-html-sanitizer 14
actionview 13
decidim 12
puma 12
camaleon_cms 11
fat_free_crm 11
rails 11
activestorage 10
net-imap 10
ruby-saml 10
jquery-rails 9
katello 8
openc3 8
rexml 8
bootstrap 7
bootstrap-sass 7
jquery-ui-rails 7
lodash-rails 7
spree 7
avo 6
Quick Filters