CVE-2026-25500Cross-site Scripting in Rack

CWE-79Cross-site Scripting10 documents8 sources
Severity
5.4MEDIUMNVD
OSV7.5
EPSS
0.0%
top 94.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rack
Timeline
PublishedFeb 18
Latest updateFeb 26

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20,

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

CVEListV5rack/rack< 2.2.22+2
NVDrack/rack3.0.03.1.20+2
RubyGemsrack/rack3.0.0.beta13.1.20+2

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
ruby-rack vulnerabilities2026-02-26
OSV
CVE-2026-25500: Rack is a modular Ruby web server interface2026-02-18
CVEList
Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href2026-02-18
GHSA
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href2026-02-17
OSV
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href2026-02-17

📋Vendor Advisories

3
Ubuntu
Rack vulnerabilities2026-02-26
Red Hat
rubygem-rack: Rack stored XSS in Rack::Directory2026-02-18
Debian
CVE-2026-25500: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, a...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25500 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-25500 — Cross-site Scripting in Rack | cvebase