rubygems

954 tracked vulnerabilities.

CVE-2026-33167 LOW
Action Pack 8.1 - XSS
Mar 23, 2026
EPSS 0.00
CVE-2026-33210 CRITICAL
Ruby JSON has a format string injection vulnerability
Mar 20, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33209 MEDIUM
Avo has a XSS vulnerability on `return_to` param
Mar 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-32700 MEDIUM
Devise <5.0.3 Confirmable Email Change - Race Condition
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-4324 MEDIUM
Rubygem-katello: katello: denial of service and potential information disclosure via sql injection
Mar 17, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-31830 HIGH
sigstore-ruby < 0.2.3 - Verification Bypass via Unchecked Return Value
Mar 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-1776 MEDIUM
Camaleon CMS 2.4.5.0-2.9.0 - Path Traversal
Mar 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-0980 HIGH
rubyipmi < 0.13.0 - Authenticated Remote Code Execution via BMC Username Injection
Feb 27, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-25500 MEDIUM
Rack < 2.2.22 - Cross-Site Scripting via Directory Index File Basename
Feb 18, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-22860 HIGH
Rack <2.2.22/3.1.20/3.2.5 - Path Traversal
Feb 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25765 MEDIUM
Faraday 1.0.0-1.10.4 and 2.0.0-2.14.0 - Server-Side Request Forgery via Protocol-Relative URL
Feb 09, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-25757 MEDIUM
Spree < 5.0.8 - Unauthenticated Order Information Disclosure via Order ID
Feb 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-25758 HIGH
Spree < 4.10.3 - Unauthenticated Insecure Direct Object Reference in Guest Checkout Address Binding
Feb 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-1531 HIGH
foreman_kubevirt < 0.4.3 - Improper Certificate Validation
Feb 02, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-1530 HIGH
fog-kubevirt < 1.5.1 - Man-in-the-Middle via Disabled Certificate Validation
Feb 02, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-23885 MEDIUM
Alchemy <7.4.12,8.0.3 - Code Injection
Jan 19, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-22589 HIGH
Spree < 4.10.2 - Unauthenticated Insecure Direct Object Reference
Jan 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-22588 MEDIUM
Spree < 4.10.2 - Authenticated Insecure Direct Object Reference via Order Address Manipulation
Jan 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-67202 MEDIUM
sidekiq-cron < 2.4.0 - Cross-Site Scripting via cron.erb URL Rendering
May 07, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-65017 MEDIUM
Decidim 0.30.0-0.30.3 and 0.31.0.rc1 - Unauthorized Data Exposure via UUID Collision
Feb 03, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-24293 CRITICAL
Rubygems Activestorage < 8.0.2.1 - Command Injection
Jan 30, 2026
EPSS 0.00
CVE-2025-68271 CRITICAL
OpenC3 COSMOS 5.0.0-6.10.1 - Unauthenticated Remote Code Execution via JSON-RPC API String Parameter
Jan 13, 2026
CVSS 10.0
EPSS 0.00
CVE-2025-61594 HIGH
URI < 0.12.5, 0.13.0-0.13.2, 1.0.0-1.0.3 - Exposure of Sensitive Information via URI Combination Operator
Dec 30, 2025
CVSS 7.5
EPSS 0.00
CVE-2025-68696 HIGH
httparty < 0.24.0 - Server-Side Request Forgery
Dec 23, 2025
CVSS 8.2
EPSS 0.00
CVE-2025-14762 MEDIUM
AWS SDK for Ruby < 1.208.0 - Use of a Broken or Risky Cryptographic Algorithm
Dec 17, 2025
CVSS 5.3
EPSS 0.00
Products
actionpack 63 rack 50 nokogiri 34 rubygems 25 rubygems-update 25 activerecord 23 puppet 23 activesupport 17 publify_core 15 passenger 14 rails-html-sanitizer 14 actionview 13 decidim 12 puma 12 camaleon_cms 11 fat_free_crm 11 rails 11 activestorage 10 ruby-saml 10 jquery-rails 9 openc3 8 rexml 8 bootstrap 7 bootstrap-sass 7 jquery-ui-rails 7 katello 7 lodash-rails 7 net-imap 7 spree 7 avo 6
Quick Filters
Critical CVEs With Exploits In CISA KEV