rubygems

965 tracked vulnerabilities.

CVE-2026-41146 HIGH
facil.io and downstream iodine ruby gem vulnerable to uncontrolled resource consumption and loop with unreachable exit condition
Apr 22, 2026
EPSS 0.00
CVE-2026-40869 HIGH
Decidim amendments can be accepted or rejected by anyone
Apr 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-27820 CRITICAL
zlib: Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption
Apr 16, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-23891 HIGH
Decidim <0.30.5 and <0.31.1 User Name - Stored Cross-Site Scripting
Apr 13, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-40070 HIGH
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40069 HIGH
bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39324 CRITICAL
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Apr 07, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-35611 HIGH
Addressable 2.3.0-2.8.x URI Templates - Regular Expression Denial of Service
Apr 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35201 MEDIUM
rdiscount 1.3.1.1-2.2.7.3 Markdown Parser - Out-of-Bounds Read
Apr 06, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34835 MEDIUM
Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34827 HIGH
Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32762 MEDIUM
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-26962 MEDIUM
Rack: Header injection in multipart requests
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34831 MEDIUM
Rack: Content-Length mismatch in Rack::Files error responses
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34830 MEDIUM
Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx
Apr 02, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34829 HIGH
Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34826 MEDIUM
Rack: Unbounded Range Count in get_byte_ranges Enables DoS
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34786 MEDIUM
Rack: Rack::Static header_rules bypass via URL-encoded paths
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34785 HIGH
Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34763 MEDIUM
Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34230 MEDIUM
Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-26961 LOW
Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Apr 02, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-34060 CRITICAL
Ruby LSP has arbitrary code execution through branch setting
Mar 31, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33946 MEDIUM
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
Mar 27, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33658 MEDIUM
Rails Active Storage Proxy Mode - Multi-Range Denial of Service
Mar 26, 2026
CVSS 6.5
EPSS 0.00