rubygems
965 tracked vulnerabilities.
CVE-2026-33635
MEDIUM
iCalendar has ICS injection via unsanitized URI property values
Mar 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33306
HIGH
bcrypt-ruby <3.1.22 JRuby Cost 31 - Weak Key Strengthening
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33286
CRITICAL
Graphiti <1.10.2 - Arbitrary Method Execution
Mar 24, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-33202
CRITICAL
Active Storage <8.1.2.1 - Path Traversal
Mar 24, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-33195
CRITICAL
Active Storage <8.1.2.1, <8.0.4.1, <7.2.3.1 - Path Traversal
Mar 24, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-33176
HIGH
ActiveSupport < 8.1.2.1, < 8.0.4.1, < 7.2.3.1 - Denial of Service via BigDecimal Scientific Notation Expansion
Mar 24, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33174
HIGH
Rails Active Storage Proxy Mode - Range Request Denial of Service
Mar 24, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33173
MEDIUM
Active Storage <8.1.2.1 - Auth Bypass
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33170
MEDIUM
Active Support <8.1.2.1 - XSS
Mar 24, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33169
MEDIUM
Active Support <8.1.2.1/8.0.4.1/7.2.3.1 - DoS
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33168
LOW
Rails Action View Tag Helpers - Cross-Site Scripting
Mar 23, 2026
EPSS 0.01
CVE-2026-33167
LOW
Action Pack 8.1 - XSS
Mar 23, 2026
EPSS 0.00
CVE-2026-33210
CRITICAL
Ruby JSON allow_duplicate_key - Format String Injection
Mar 20, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-33209
MEDIUM
Avo <3.30.3 return_to Parameter - Reflected Cross-Site Scripting
Mar 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-32700
MEDIUM
Devise <5.0.3 Confirmable Email Change - Race Condition
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-4324
MEDIUM
Rubygem-katello: katello: denial of service and potential information disclosure via sql injection
Mar 17, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-31830
HIGH
sigstore-ruby < 0.2.3 - Verification Bypass via Unchecked Return Value
Mar 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-1776
MEDIUM
Camaleon CMS 2.4.5.0-2.9.0 - Path Traversal
Mar 10, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-0980
HIGH
rubyipmi < 0.13.0 - Authenticated Remote Code Execution via BMC Username Injection
Feb 27, 2026
CVSS 8.3
EPSS 0.01
CVE-2026-25500
MEDIUM
Rack < 2.2.22 - Cross-Site Scripting via Directory Index File Basename
Feb 18, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-22860
HIGH
Rack <2.2.22/3.1.20/3.2.5 - Path Traversal
Feb 18, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25765
MEDIUM
Faraday 1.0.0-1.10.4 and 2.0.0-2.14.0 - Server-Side Request Forgery via Protocol-Relative URL
Feb 09, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-25757
MEDIUM
Spree < 5.0.8 - Unauthenticated Order Information Disclosure via Order ID
Feb 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-25758
HIGH
Spree < 4.10.3 - Unauthenticated Insecure Direct Object Reference in Guest Checkout Address Binding
Feb 06, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-1531
HIGH
foreman_kubevirt < 0.4.3 - Improper Certificate Validation
Feb 02, 2026
CVSS 8.1
EPSS 0.00
Products
actionpack 63
rack 50
nokogiri 34
rubygems 25
rubygems-update 25
activerecord 23
puppet 23
activesupport 17
publify_core 15
passenger 14
rails-html-sanitizer 14
actionview 13
decidim 12
puma 12
camaleon_cms 11
fat_free_crm 11
rails 11
activestorage 10
net-imap 10
ruby-saml 10
jquery-rails 9
katello 8
openc3 8
rexml 8
bootstrap 7
bootstrap-sass 7
jquery-ui-rails 7
lodash-rails 7
spree 7
avo 6
Quick Filters