rubygems
954 tracked vulnerabilities.
CVE-2026-32762
MEDIUM
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-26962
MEDIUM
Rack: Header injection in multipart requests
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34831
MEDIUM
Rack: Content-Length mismatch in Rack::Files error responses
Apr 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-34830
MEDIUM
Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx
Apr 02, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34829
HIGH
Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34826
MEDIUM
Rack: Unbounded Range Count in get_byte_ranges Enables DoS
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34786
MEDIUM
Rack: Rack::Static header_rules bypass via URL-encoded paths
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34785
HIGH
Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34763
MEDIUM
Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34230
MEDIUM
Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-26961
LOW
Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Apr 02, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-34060
CRITICAL
Ruby LSP has arbitrary code execution through branch setting
Mar 31, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33946
MEDIUM
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
Mar 27, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33658
MEDIUM
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Mar 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33635
MEDIUM
iCalendar has ICS injection via unsanitized URI property values
Mar 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33306
HIGH
bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33286
CRITICAL
Graphiti <1.10.2 - Arbitrary Method Execution
Mar 24, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33202
CRITICAL
Active Storage <8.1.2.1 - Path Traversal
Mar 24, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33195
CRITICAL
Active Storage <8.1.2.1, <8.0.4.1, <7.2.3.1 - Path Traversal
Mar 24, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33176
HIGH
ActiveSupport < 8.1.2.1, < 8.0.4.1, < 7.2.3.1 - Denial of Service via BigDecimal Scientific Notation Expansion
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33174
HIGH
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33173
MEDIUM
Active Storage <8.1.2.1 - Auth Bypass
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33170
MEDIUM
Active Support <8.1.2.1 - XSS
Mar 24, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33169
MEDIUM
Active Support <8.1.2.1/8.0.4.1/7.2.3.1 - DoS
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33168
LOW
Rails has a possible XSS vulnerability in its Action View tag helpers
Mar 23, 2026
EPSS 0.00
Products
actionpack 63
rack 50
nokogiri 34
rubygems 25
rubygems-update 25
activerecord 23
puppet 23
activesupport 17
publify_core 15
passenger 14
rails-html-sanitizer 14
actionview 13
decidim 12
puma 12
camaleon_cms 11
fat_free_crm 11
rails 11
activestorage 10
ruby-saml 10
jquery-rails 9
openc3 8
rexml 8
bootstrap 7
bootstrap-sass 7
jquery-ui-rails 7
katello 7
lodash-rails 7
net-imap 7
spree 7
avo 6
Quick Filters