rubygems

965 tracked vulnerabilities.

CVE-2026-33635 MEDIUM
iCalendar has ICS injection via unsanitized URI property values
Mar 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33306 HIGH
bcrypt-ruby <3.1.22 JRuby Cost 31 - Weak Key Strengthening
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33286 CRITICAL
Graphiti <1.10.2 - Arbitrary Method Execution
Mar 24, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-33202 CRITICAL
Active Storage <8.1.2.1 - Path Traversal
Mar 24, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-33195 CRITICAL
Active Storage <8.1.2.1, <8.0.4.1, <7.2.3.1 - Path Traversal
Mar 24, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-33176 HIGH
ActiveSupport < 8.1.2.1, < 8.0.4.1, < 7.2.3.1 - Denial of Service via BigDecimal Scientific Notation Expansion
Mar 24, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33174 HIGH
Rails Active Storage Proxy Mode - Range Request Denial of Service
Mar 24, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33173 MEDIUM
Active Storage <8.1.2.1 - Auth Bypass
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33170 MEDIUM
Active Support <8.1.2.1 - XSS
Mar 24, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33169 MEDIUM
Active Support <8.1.2.1/8.0.4.1/7.2.3.1 - DoS
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33168 LOW
Rails Action View Tag Helpers - Cross-Site Scripting
Mar 23, 2026
EPSS 0.01
CVE-2026-33167 LOW
Action Pack 8.1 - XSS
Mar 23, 2026
EPSS 0.00
CVE-2026-33210 CRITICAL
Ruby JSON allow_duplicate_key - Format String Injection
Mar 20, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-33209 MEDIUM
Avo <3.30.3 return_to Parameter - Reflected Cross-Site Scripting
Mar 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-32700 MEDIUM
Devise <5.0.3 Confirmable Email Change - Race Condition
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-4324 MEDIUM
Rubygem-katello: katello: denial of service and potential information disclosure via sql injection
Mar 17, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-31830 HIGH
sigstore-ruby < 0.2.3 - Verification Bypass via Unchecked Return Value
Mar 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-1776 MEDIUM
Camaleon CMS 2.4.5.0-2.9.0 - Path Traversal
Mar 10, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-0980 HIGH
rubyipmi < 0.13.0 - Authenticated Remote Code Execution via BMC Username Injection
Feb 27, 2026
CVSS 8.3
EPSS 0.01
CVE-2026-25500 MEDIUM
Rack < 2.2.22 - Cross-Site Scripting via Directory Index File Basename
Feb 18, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-22860 HIGH
Rack <2.2.22/3.1.20/3.2.5 - Path Traversal
Feb 18, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25765 MEDIUM
Faraday 1.0.0-1.10.4 and 2.0.0-2.14.0 - Server-Side Request Forgery via Protocol-Relative URL
Feb 09, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-25757 MEDIUM
Spree < 5.0.8 - Unauthenticated Order Information Disclosure via Order ID
Feb 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-25758 HIGH
Spree < 4.10.3 - Unauthenticated Insecure Direct Object Reference in Guest Checkout Address Binding
Feb 06, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-1531 HIGH
foreman_kubevirt < 0.4.3 - Improper Certificate Validation
Feb 02, 2026
CVSS 8.1
EPSS 0.00