rubygems
965 tracked vulnerabilities.
CVE-2026-41146
HIGH
facil.io and downstream iodine ruby gem vulnerable to uncontrolled resource consumption and loop with unreachable exit condition
Apr 22, 2026
EPSS 0.00
CVE-2026-40869
HIGH
Decidim amendments can be accepted or rejected by anyone
Apr 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-27820
CRITICAL
zlib: Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption
Apr 16, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-23891
HIGH
Decidim <0.30.5 and <0.31.1 User Name - Stored Cross-Site Scripting
Apr 13, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-40070
HIGH
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40069
HIGH
bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39324
CRITICAL
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Apr 07, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-35611
HIGH
Addressable 2.3.0-2.8.x URI Templates - Regular Expression Denial of Service
Apr 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35201
MEDIUM
rdiscount 1.3.1.1-2.2.7.3 Markdown Parser - Out-of-Bounds Read
Apr 06, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34835
MEDIUM
Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34827
HIGH
Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32762
MEDIUM
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-26962
MEDIUM
Rack: Header injection in multipart requests
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34831
MEDIUM
Rack: Content-Length mismatch in Rack::Files error responses
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34830
MEDIUM
Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx
Apr 02, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34829
HIGH
Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34826
MEDIUM
Rack: Unbounded Range Count in get_byte_ranges Enables DoS
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34786
MEDIUM
Rack: Rack::Static header_rules bypass via URL-encoded paths
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34785
HIGH
Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34763
MEDIUM
Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34230
MEDIUM
Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-26961
LOW
Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Apr 02, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-34060
CRITICAL
Ruby LSP has arbitrary code execution through branch setting
Mar 31, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33946
MEDIUM
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
Mar 27, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33658
MEDIUM
Rails Active Storage Proxy Mode - Multi-Range Denial of Service
Mar 26, 2026
CVSS 6.5
EPSS 0.00
Products
actionpack 63
rack 50
nokogiri 34
rubygems 25
rubygems-update 25
activerecord 23
puppet 23
activesupport 17
publify_core 15
passenger 14
rails-html-sanitizer 14
actionview 13
decidim 12
puma 12
camaleon_cms 11
fat_free_crm 11
rails 11
activestorage 10
net-imap 10
ruby-saml 10
jquery-rails 9
katello 8
openc3 8
rexml 8
bootstrap 7
bootstrap-sass 7
jquery-ui-rails 7
lodash-rails 7
spree 7
avo 6
Quick Filters