CVE-2026-34827
published 2026-04-02CVE-2026-34827: Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.47%
37.5th percentile
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 3.2.6-2 (sid) | ruby-rack 3.2.6-2 (sid) |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 3.0.0 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.0.0.beta1 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-34827: (Rack is a modular Ruby web server interface
osv·2026-04-03·CVSS 7.5
CVE-2026-34827 [HIGH] CVE-2026-34827: (Rack is a modular Ruby web server interface
(Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 ...)
OSV
CVE-2026-34827: Rack is a modular Ruby web server interface
osv·2026-04-02·CVSS 7.5
CVE-2026-34827 [HIGH] CVE-2026-34827: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
GHSA
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
ghsa·2026-04-02
CVE-2026-34827 [HIGH] CWE-400 Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
## Summary
`Rack::Multipart::Parser#handle_mime_head` parses quoted multipart parameters such as `Content-Disposition: form-data; name="..."` using repeated `String#index` searches combined with `String#slice!` prefix deletion. For escape-heavy quoted values, this causes super-linear processing.
An unauthenticated attacker can send a crafted `multipart/form-data` request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing.
This results in a denial of service condition in Rack applications that accept multipart form data.
## Details
`Rack::Multipart::Parser#handle_mime_head` parses quoted parameter values by repeatedly:
1.
OSV
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
osv·2026-04-02
CVE-2026-34827 [HIGH] Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
## Summary
`Rack::Multipart::Parser#handle_mime_head` parses quoted multipart parameters such as `Content-Disposition: form-data; name="..."` using repeated `String#index` searches combined with `String#slice!` prefix deletion. For escape-heavy quoted values, this causes super-linear processing.
An unauthenticated attacker can send a crafted `multipart/form-data` request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing.
This results in a denial of service condition in Rack applications that accept multipart form data.
## Details
`Rack::Multipart::Parser#handle_mime_head` parses quoted parameter values by repeatedly:
1.
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-04-17·CVSS 3.7
CVE-2026-26962 [LOW] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
Andrew Lacambra discovered that Rack did not properly parse certain regular
expressions. An attacker could possibly use this issue to bypass network
security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961)
William T. Nelson discovered that Rack did not handle multipart headers
correctly. An attacker could possibly use this issue to cause downstream
parsing issues or a denial of service. This issue only affected Ubuntu
25.10. (CVE-2026-26962)
It was discovered that Rack did not handle the Forwarded header correctly.
An attacker could possibly use this issue to manipulate header values. This
issue only affected Ubuntu 25.10. (CVE-2026
Red Hat
rack: Rack: Denial of Service via crafted multipart/form-data requests
vendor_redhat·2026-04-02·CVSS 7.5
CVE-2026-34827 [HIGH] CWE-770 rack: Rack: Denial of Service via crafted multipart/form-data requests
rack: Rack: Denial of Service via crafted multipart/form-data requests
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in vers
Debian
CVE-2026-34827: ruby-rack - Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before...
vendor_debian·2026·CVSS 7.5
CVE-2026-34827 [HIGH] CVE-2026-34827: ruby-rack - Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before...
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
Scope: local
bookworm: open
bullseye: open
forky:
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33635 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33635 [MEDIUM] CVE-2026-33635 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33635 :
Ruby vulnerability analysis and mitigation
Icalendar::Values::Uri
URI.parse
value.to_s
\r
\n
.ics
Source : NVD
## 4.3
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Ruby
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby-icalendar
icalendar
Sources
NVD
Debian 11, 12 Severity MEDIUM No Fix Added at: Mar 29, 2026
Echo Severity MEDIUM No Fix Added at: Mar 29, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 25, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-28363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-28363 [CRITICAL] CVE-2026-28363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28363 :
MinimOS vulnerability analysis and mitigation
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.
Source : NVD
## 8.8
Score
Published February 27, 2026
Severity HIGH
CNA Score 9.9
Affected Technologies
MinimOS
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity CRITI
Wiz
CVE-2026-1519 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-1519 [HIGH] CVE-2026-1519 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1519 :
MinimOS vulnerability analysis and mitigation
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries ).
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
MinimOS
Linux Debian
Has Publi
Wiz
CVE-2026-25765 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-25765 [MEDIUM] CVE-2026-25765 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25765 :
Ruby vulnerability analysis and mitigation
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vu
Wiz
CVE-2026-33210 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33210 [MEDIUM] CVE-2026-33210 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33210 :
Ruby vulnerability analysis and mitigation
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Source : NVD
## 8.3
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Ruby
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby:3.3:
Wiz
CVE-2026-34763 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34763 [MEDIUM] CVE-2026-34763 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34763 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Source : NVD
## 5.3
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Ruby
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
Wiz
CVE-2026-33168 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33168 [MEDIUM] CVE-2026-33168 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33168 :
Ruby vulnerability analysis and mitigation
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Source : NVD
## 2.3
Score
Published March 23, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV
Wiz
CVE-2025-66568 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-66568 [CRITICAL] CVE-2025-66568 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66568 :
Ruby vulnerability analysis and mitigation
The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.
Source : NVD
## 9.3
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Ruby
Has Public E
Wiz
CVE-2025-14762 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2025-14762 [MEDIUM] CVE-2025-14762 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14762 :
Ruby vulnerability analysis and mitigation
Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.
To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later.
Source : NVD
## 6
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 6.0
Affected Technologies
Ruby
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby4.0-aws-sdk-s3
aws-sdk-s3
Sources
NVD
Wiz
CVE-2026-33174 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33174 [MEDIUM] CVE-2026-33174 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33174 :
Ruby vulnerability analysis and mitigation
bytes=0-
Source : NVD
## 6.6
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby3.2-rails-8.1
ruby3.4-rails-8.0
Sources
Chainguard Has Fix Added at: Mar 25, 2026
Debian 11, 14 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Added at: Mar 26, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 24, 2026
Linux Severity HIGH Has Fix Added at: Mar 24, 2026
Wolfi Has Fix A
Wiz
CVE-2025-68696 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68696 [HIGH] CVE-2025-68696 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68696 :
Ruby vulnerability analysis and mitigation
httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.
Source : NVD
## 8.8
Score
Published December 23, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
Ruby
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
gitlab-rails-ce-18.2
gitlab-rails-ce-18.4
Sources
NVD
Chainguard Has Fix Added at: Jan 11, 2026
Debian 11, 12, 13 Severity
Wiz
CVE-2025-61594 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2025-61594 [LOW] CVE-2025-61594 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61594 :
Ruby vulnerability analysis and mitigation
+
Source : NVD
## 2.7
Score
Published December 30, 2025
Severity LOW
CNA Score 2.7
Affected Technologies
Ruby
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gitlab-rails-ce-fips-18.1
rhel9::flatpak-sdk
Sources
NVD
AlmaLinux 8 Severity MEDIUM Has Fix Added at: Jan 08, 2026
AlmaLinux 9 Severity MEDIUM Has Fix Added at: Jan 08, 2026
Alpine 3.20, 3.21 Severity HIGH Has Fix Added at: Nov 23, 2025
Alpine 3.23 Severity HIGH Has Fix Added at: Dec 04, 2025
Alpine edge Severity HIGH Has Fix Added at: Nov 26, 2025
CBL-Mariner 2.0 Severity LOW H
Wiz
CVE-2026-0980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-0980 [HIGH] CVE-2026-0980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0980 :
Ruby vulnerability analysis and mitigation
A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote code execution (RCE) on the system.
Source : NVD
## 8.8
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
rubyipmi
Sources
NVD
RubyGems Severity HIGH Has Fix Added at:
Wiz
CVE-2026-3591 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-3591 [HIGH] CVE-2026-3591 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3591 :
MinimOS vulnerability analysis and mitigation
named
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
MinimOS
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bind9.16-libs
bind9.16-license
Sources
NVD
Alpine 3.22, 3.23, edge Severity MEDIUM Has Fix Added at: Mar 26, 2026
Debian 11, 12 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 13, 14 Severity MEDIUM Has Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
MinimOS Severity MEDIUM Has Fix Added at: Mar 29, 2026
Red Hat 6, 7, 8, 9, 10 Seve
Wiz
CVE-2026-34831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34831 [HIGH] CVE-2026-34831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34831 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21,
Wiz
CVE-2026-33658 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33658 [MEDIUM] CVE-2026-33658 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33658 :
Ruby vulnerability analysis and mitigation
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1
Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Source : NVD
## 2.3
Score
Published March 26, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.5
Exploitation
Wiz
GHSA-5qw5-wf2q-f538 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
[MEDIUM] GHSA-5qw5-wf2q-f538 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5qw5-wf2q-f538 :
Ruby vulnerability analysis and mitigation
ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the sql.gsub() function in lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Source : NVD
## 8.8
Score
Published January 16, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packag
Wiz
GHSA-46fp-8f5p-pf2m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
[MEDIUM] GHSA-46fp-8f5p-pf2m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-46fp-8f5p-pf2m :
Ruby vulnerability analysis and mitigation
## Summary
Loofah::HTML5::Scrub.allowed_uri?
javascript:
## Details
allowed_uri?
java script:alert(1)
java\rscript:alert(1)
sanitize()
allowed_uri?
## Impact
Loofah::HTML5::Scrub.allowed_uri?
href
2.25.0
## Mitigation
2.25.1
## Credit
@smlee
Source : NVD
## 2.7
Score
Published March 18, 2026
Severity LOW
CNA Score N/A
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
loofah
Sources
NVD
RubyGems Severity LOW Has Fix Added at: Mar 19, 2026
RubyGems Has Fix Added at: Mar 24, 2026
## Get
Wiz
CVE-2025-24293 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2025-24293 [CRITICAL] CVE-2025-24293 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-24293 :
Ruby vulnerability analysis and mitigation
## Active Storage allowed transformation methods potentially unsafe
Active Storage attempts to prevent the use of potentially unsafe image
transformation methods and parameters by default.
The default allowed list contains three methods allow for the circumvention
of the safe defaults which enables potential command injection
vulnerabilities in cases where arbitrary user supplied input is accepted as
valid transformation methods or parameters.
## Impact
This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.
Vulnerable code will look something similar to this:
params[:v]) %>
Where the transformation method or its argu
Wiz
CVE-2026-33202 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33202 [MEDIUM] CVE-2026-33202 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33202 :
Ruby vulnerability analysis and mitigation
DiskService#delete_prefixed
Dir.glob
Source : NVD
## 6.6
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rails
cpe:2.3:a:rubyonrails:rails
Sources
Chainguard Has Fix Added at: Mar 25, 2026
Debian 11, 14 Severity CRITICAL No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Echo Severity CRITICAL No Fix Added at: Mar 26, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 24, 2026
Linux Severity CRITICAL Has Fix
Wiz
CVE-2026-33176 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33176 [MEDIUM] CVE-2026-33176 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33176 :
Ruby vulnerability analysis and mitigation
1e10000
BigDecimal
Source : NVD
## 6.6
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
activesupport
cinc-auditor
Sources
Chainguard Has Fix Added at: Mar 25, 2026
Debian 11, 14 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Added at: Mar 26, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 24, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 24, 2026
Linux Sever
Wiz
CVE-2026-26962 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-26962 [MEDIUM] CVE-2026-26962 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26962 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
Source : NVD
## 4.8
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Ruby
Chainguard
Has Public Exploit No
Has CISA KEV
Wiz
CVE-2026-33170 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33170 [MEDIUM] CVE-2026-33170 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33170 :
Ruby vulnerability analysis and mitigation
SafeBuffer#%
@html_unsafe
SafeBuffer
gsub!
%
html_safe? == true
Source : NVD
## 5.3
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
activesupport
rails
Sources
Chainguard Has Fix Added at: Mar 25, 2026
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 24, 2026
MinimOS Severity MEDIUM Has Fix Added at: Mar 24, 2026
Linux Severity M
Wiz
GHSA-57hq-95w6-v4fc Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
[MEDIUM] GHSA-57hq-95w6-v4fc Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-57hq-95w6-v4fc :
Ruby vulnerability analysis and mitigation
## Impact
reconfirmable
confirmation_token
unconfirmed_email
unconfirmed_email
## Patches
This is patched in Devise v5.0.3 . Users should upgrade as soon as possible.
## Workarounds
unconfirmed_email
User
class User < ApplicationRecord
protected
def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
unconfirmed_email_will_change!
super
end
end
will_change!
changed_attributes["unconfirmed_email"] = nil
Source : NVD
## 6
Score
Published March 17, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probabil
Wiz
CVE-2026-22588 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-22588 [MEDIUM] CVE-2026-22588 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22588 :
Ruby vulnerability analysis and mitigation
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.
Source : NVD
## 6.5
Score
Published January 8, 20
Wiz
CVE-2026-1531 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-1531 [HIGH] CVE-2026-1531 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1531 :
Ruby vulnerability analysis and mitigation
A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information.
Source : NVD
## 8.1
Score
Published February 2, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS)
Wiz
CVE-2025-68271 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-68271 [CRITICAL] CVE-2025-68271 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68271 :
Ruby vulnerability analysis and mitigation
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2.
Source : NVD
## 10
Score
Publishe
Wiz
CVE-2026-34830 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34830 [MEDIUM] CVE-2026-34830 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34830 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Source : NVD
## 5.9
Score
Published April 2,
Wiz
CVE-2026-25758 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25758 [HIGH] CVE-2026-25758 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25758 :
Ruby vulnerability analysis and mitigation
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Source : NVD
## 7.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Ruby
Has Public Exploit Yes
Has CISA KE
Wiz
CVE-2026-22822 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-22822 [CRITICAL] CVE-2026-22822 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22822 :
MinimOS vulnerability analysis and mitigation
getSecretKey
getSecretKey
Source : NVD
## 9.3
Score
Published January 21, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
external-secrets-operator
github.com/external-secrets/external-secrets
Sources
NVD
GoLang Severity CRITICAL Has Fix Added at: Jan 21, 2026
MinimOS Severity HIGH Has Fix Added at: Jan 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MinimOS vul
Wiz
CVE-2026-34829 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34829 [HIGH] CVE-2026-34829 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34829 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that
Wiz
CVE-2026-34786 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34786 [MEDIUM] CVE-2026-34786 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34786 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Source : NVD
## 5.3
Score
Published Ap
Wiz
CVE-2025-66567 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-66567 [CRITICAL] CVE-2025-66567 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66567 :
Ruby vulnerability analysis and mitigation
The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0.
Source : NVD
## 9.3
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.2
Exploitation Probability (EP
Wiz
GHSA-q66h-m87m-j2q6 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
[HIGH] GHSA-q66h-m87m-j2q6 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-q66h-m87m-j2q6 :
Ruby vulnerability analysis and mitigation
## Summary: Remote Code Execution
Unsafe handling of request parameters in the RPC HTTP server results in command injection
## Details
command
args
send
command
command
system
args
## PoC
Start the RPC server
Send a request to the RPC server as so:
curl -X POST http://127.0.0.1:18443 -H 'Content-Type: application/json' \
-d '{"method":"eval","params":["File.write(\"/tmp/pwned\",\"owned\")"]}'
Check the /tmp folder on the machine where the RPC server is being run. If a folder /pwned now exists, the vulnerability is confirmed.
## Impact
This vulnerability would impact anyone running the RPC server. The impact is higher for those who are running it publicly exposed to the internet.
## Remediation
Wiz
CVE-2026-34785 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34785 [MEDIUM] CVE-2026-34785 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34785 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Source : NVD
## 7.5
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Ruby
Chainguard
Ha
Wiz
CVE-2026-23885 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-23885 [MEDIUM] CVE-2026-23885 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23885 :
Ruby vulnerability analysis and mitigation
eval()
resource_handler.engine_name
Alchemy::ResourcesHelper#resource_url_proxy
app/helpers/alchemy/resources_helper.rb
# rubocop:disable Security/Eval
engine_name
eval()
send()
Source : NVD
## 6.4
Score
Published January 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
Ruby
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
alchemy_cms
Sources
NVD
RubyGems Severity MEDIUM Has Fix Added at: Jan 21, 2026
RubyGems Severity MEDIUM Has Fix Added at: Jan 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2026-1530 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-1530 [HIGH] CVE-2026-1530 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1530 :
Ruby vulnerability analysis and mitigation
A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise.
Source : NVD
## 8.1
Score
Published February 2, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fog-kubevirt
Sources
NVD
RubyGems Severity HIGH H
Wiz
CVE-2026-33209 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33209 [MEDIUM] CVE-2026-33209 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33209 :
Ruby vulnerability analysis and mitigation
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3.
Source : NVD
## 5.3
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libr
Wiz
CVE-2026-34742 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-34742 [HIGH] CVE-2026-34742 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34742 :
MinimOS vulnerability analysis and mitigation
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandler, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. This issue has been patched in version 1.4.0.
Source : NVD
## 7.6
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.6
Affected Technolo
Wiz
CVE-2026-33167 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33167 [MEDIUM] CVE-2026-33167 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33167 :
Ruby vulnerability analysis and mitigation
config.consider_all_requests_local = true
Source : NVD
## 1.3
Score
Published March 23, 2026
Severity LOW
CNA Score 1.3
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby3.2-rails-8.1
actionpack
Sources
NVD
Chainguard Has Fix Added at: Mar 25, 2026
RubyGems Severity LOW Has Fix Added at: Mar 24, 2026
Linux Has Fix Added at: Mar 24, 2026
Wolfi Has Fix Added at: Mar 25, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2026-32762 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-32762 [MEDIUM] CVE-2026-32762 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32762 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
Source : NVD
## 4.8
Scor
Wiz
CVE-2026-22589 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-22589 [HIGH] CVE-2026-22589 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22589 :
Ruby vulnerability analysis and mitigation
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.
Source : NVD
## 7.5
Score
Published January 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Ruby
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.4
Exploitation Probability (EPSS) 0.1
Affected packages
Wiz
GHSA-87fh-rc96-6fr6 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-87fh-rc96-6fr6 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-87fh-rc96-6fr6 :
Ruby vulnerability analysis and mitigation
## Summary
A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.
## Impact
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
GHSL-2026-027
bill_address_attributes[id]
ship_address_attributes[id]
validate_address_ownership
bill_address_id
ship_address_id
## Affected Code Compon
Wiz
GHSA-wx95-c6cv-8532 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
[MEDIUM] GHSA-wx95-c6cv-8532 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-wx95-c6cv-8532 :
Ruby vulnerability analysis and mitigation
## Summary
xmlC14NExecute
Nokogiri::XML::Document#canonicalize
Nokogiri::XML::Node#canonicalize
RuntimeError
## Mitigation
>= 1.19.1
## Severity
The maintainers have assessed this as Medium severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References).
## Credit
d4d
Source : NVD
## 5.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N
Wiz
CVE-2026-26961 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-26961 [LOW] CVE-2026-26961 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26961 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Source : NVD
## 3.7
Score
Published April 2, 2026
Severity LOW
CNA
Wiz
CVE-2026-33173 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33173 [MEDIUM] CVE-2026-33173 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33173 :
Ruby vulnerability analysis and mitigation
DirectUploadsController
identified
analyzed
content_type
Source : NVD
## 5.3
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rails
cpe:2.3:a:rubyonrails:rails
Sources
Chainguard Has Fix Added at: Mar 25, 2026
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 24, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 24, 2026
Wolfi Has Fix
Wiz
CVE-2026-25500 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-25500 [MEDIUM] CVE-2026-25500 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25500 :
Ruby vulnerability analysis and mitigation
Rack::Directory
javascript:
javascript:alert(1)
href
javascript:alert(1)
alert(1)
Source : NVD
## 5.4
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Ruby
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby3.2-rails-7.2
ruby3.3-rails-7.1
Sources
NVD
Chainguard Has Fix Added at: Feb 20, 2026
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Feb 19, 2026
Echo Severity MEDIUM Has Fix Added at: Feb 19, 2026
RubyGems Severity MEDIUM Has Fix Added at: Feb 18, 2026
Homebrew Severity MEDIUM Ha
Wiz
CVE-2026-34230 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34230 [MEDIUM] CVE-2026-34230 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34230 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Source : NVD
## 5.3
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 5.3
Affecte
Wiz
CVE-2026-33306 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33306 [MEDIUM] CVE-2026-33306 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33306 :
Ruby vulnerability analysis and mitigation
BCrypt.java
cost=31
$2a$31$...
checkpw
$2a$31$
Source : NVD
## 4.5
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 4.5
Affected Technologies
Ruby
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby-bcrypt
bcrypt
Sources
NVD
Debian 11 Severity HIGH No Fix Added at: Mar 22, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 22, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 22, 2026
Echo Severity HIGH No Fix Added at: Mar 22, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 20, 2026
RubyGems Has Fix Adde
Wiz
CVE-2026-33286 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33286 [MEDIUM] CVE-2026-33286 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33286 :
Ruby vulnerability analysis and mitigation
Graphiti::Util::ValidationResponse#all_valid?
model.send(name)
Source : NVD
## 9.1
Score
Published March 24, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
graphiti
Sources
NVD
RubyGems Severity CRITICAL Has Fix Added at: Mar 20, 2026
RubyGems Severity CRITICAL Has Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Ruby vulnerabilities:
CVE ID
Sever
Wiz
CVE-2026-1776 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-1776 [HIGH] CVE-2026-1776 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1776 :
Ruby vulnerability analysis and mitigation
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the inco
Wiz
CVE-2026-3119 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-3119 [MEDIUM] CVE-2026-3119 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3119 :
MinimOS vulnerability analysis and mitigation
named
named
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
MinimOS
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bind9.18-utils
bind-dnssec-utils
Sources
NVD
Alpine 3.22, 3.23, edge Severity MEDIUM Has Fix Added at: Mar 26, 2026
Debian 11, 12 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 13, 14 Severity MEDIUM Has Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
MinimOS Severity MEDIUM Has Fix Added at: Mar 29, 2026
Red Hat 6, 7, 8,
Wiz
GHSA-p6pv-q7rc-g4h9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-p6pv-q7rc-g4h9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-p6pv-q7rc-g4h9 :
Ruby vulnerability analysis and mitigation
GHSL-2026-029
OrdersController#show
OrdersController#show
@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first
authorize_access
def authorize_access
return true if @order.user_id.nil?
@order.user == try_spree_current_user
end
If the attacker is in possession of a leaked Order ID, they might look it up directly via this API.
Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated , but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (
Wiz
CVE-2026-33169 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33169 [MEDIUM] CVE-2026-33169 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33169 :
Ruby vulnerability analysis and mitigation
NumberToDelimitedConverter
gsub!
gsub!
Source : NVD
## 6.9
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby4.0-activesupport
cpe:2.3:a:rubyonrails:rails
Sources
Chainguard Has Fix Added at: Mar 25, 2026
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 24, 2026
MinimOS Severity MEDIUM Has Fix Added at: Mar 24, 2026
Linux Severity
Wiz
GHSA-2j22-pr5w-6gq8 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
[MEDIUM] GHSA-2j22-pr5w-6gq8 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-2j22-pr5w-6gq8 :
Ruby vulnerability analysis and mitigation
## Summary
Loofah::HTML5::Scrub.allowed_uri?
javascript:
## Details
allowed_uri?
java script:alert(1)
java\rscript:alert(1)
sanitize()
allowed_uri?
## Impact
Loofah::HTML5::Scrub.allowed_uri?
href
2.25.0
## Mitigation
2.25.1
## Credit
Responsibly reported by HackOne user @smlee.
Source : NVD
## 2.3
Score
Published March 26, 2026
Severity LOW
CNA Score N/A
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
loofah
Sources
NVD
RubyGems Severity LOW Has Fix Added at: Mar 29, 2026
## Get a
Wiz
CVE-2026-34835 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34835 [MEDIUM] CVE-2026-34835 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34835 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.
Source : NVD
## 6.5
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technolog
Wiz
CVE-2026-4324 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-4324 [MEDIUM] CVE-2026-4324 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4324 :
Ruby vulnerability analysis and mitigation
A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database.
Source : NVD
## 5.4
Score
Published March 17, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
Wiz
CVE-2026-3104 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-3104 [HIGH] CVE-2026-3104 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3104 :
MinimOS vulnerability analysis and mitigation
A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain.
This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.
BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
MinimOS
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bind9-next-libs
bind
Sources
NVD
Alpine 3.22, 3.23, edge
Wiz
CVE-2026-25757 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25757 [HIGH] CVE-2026-25757 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25757 :
Ruby vulnerability analysis and mitigation
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Source : NVD
## 7.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Ruby
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
spree_storefront
Sources
NVD
Ru
Wiz
CVE-2026-22860 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-22860 [HIGH] CVE-2026-22860 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22860 :
Ruby vulnerability analysis and mitigation
Rack::Directory
/../root_example/
Source : NVD
## 7.5
Score
Published February 18, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Ruby
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
logstash-9.3
ruby3.3-rails-8.0
Sources
NVD
Chainguard Has Fix Added at: Feb 20, 2026
Debian 11, 12, 13, 14 Severity HIGH Has Fix Added at: Feb 19, 2026
Echo Severity HIGH Has Fix Added at: Feb 19, 2026
RubyGems Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 20, 2026
MinimOS Severity HIGH Has Fix Added
Wiz
CVE-2026-34060 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34060 [MEDIUM] CVE-2026-34060 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34060 :
Ruby vulnerability analysis and mitigation
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.
Source : NVD
## 7.1
Score
Published March 31, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Ruby
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.2
E
Wiz
CVE-2026-32700 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-32700 [MEDIUM] CVE-2026-32700 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32700 :
Ruby vulnerability analysis and mitigation
reconfirmable
confirmation_token
unconfirmed_email
unconfirmed_email
unconfirmed_email
will_change!
changed_attributes["unconfirmed_email"] = nil
Source : NVD
## 6
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.0
Affected Technologies
Ruby
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ruby-devise
devise
Sources
NVD
Debian 11 No Fix Added at: Mar 20, 2026
Echo Severity MEDIUM No Fix Added at: Mar 20, 2026
RubyGems Severity MEDIUM Has Fix Added at: Mar 17, 2026
RubyGems Has Fix Added at: Mar 24, 2026
## Get a
Wiz
CVE-2026-34826 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-34826 [MEDIUM] CVE-2026-34826 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34826 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Source : NVD
## 5.3
Score
Pub
Wiz
CVE-2025-65017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-65017 [HIGH] CVE-2025-65017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65017 :
Ruby vulnerability analysis and mitigation
Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0.
Source : NVD
## 8.2
Score
Published February 3, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
decidim-core
decidim
Sources
NVD
RubyGems Severity HIGH Has Fix Added at: Feb 04, 2026
Wiz
GHSA-w67g-2h6v-vjgq Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
[MEDIUM] GHSA-w67g-2h6v-vjgq Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w67g-2h6v-vjgq :
Ruby vulnerability analysis and mitigation
## Impact
During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.
div(**user_attributes)
tag
tag(some_tag_name_from_user)
href
a(href: user_provided_link)
## Patches
Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.
The patched versions are:
2.4.1
2.3.2
2.2.2
2.1.3
2.0.2
main
## Workarounds
If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.
Source : NVD
## 7.1
Score
Published February 6, 2026
Severity HIGH
CNA Score N/A
Affected Tech
Wiz
CVE-2026-33195 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33195 [MEDIUM] CVE-2026-33195 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33195 :
Ruby vulnerability analysis and mitigation
DiskService#path_for
../
Source : NVD
## 8
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.0
Affected Technologies
Ruby
Rails
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:rubyonrails:rails
rails
Sources
Chainguard Has Fix Added at: Mar 25, 2026
Debian 11, 14 Severity CRITICAL No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Echo Severity CRITICAL No Fix Added at: Mar 26, 2026
RubyGems Severity HIGH Has Fix Added at: Mar 24, 2026
Linux Severity CRITICAL Has Fix Added at: Mar 24,
Wiz
CVE-2026-34827 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34827 [HIGH] CVE-2026-34827 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34827 :
Ruby vulnerability analysis and mitigation
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.
Wiz
CVE-2026-31830 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-31830 [MEDIUM] CVE-2026-31830 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31830 :
Ruby vulnerability analysis and mitigation
sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject. This vulnerability is fixed in 0.2.3.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Ruby
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
GHSA-mpwp-4h2m-765c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
[MEDIUM] GHSA-mpwp-4h2m-765c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mpwp-4h2m-765c :
Ruby vulnerability analysis and mitigation
Active Job vulnerability: An Active Job bug allowed String arguments to be deserialized as if they were Global IDs, an object injection security vulnerability.
Source : NVD
## 6.6
Score
Published January 16, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
activejob
Sources
NVD
RubyGems Severity MEDIUM Has Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2026-35201 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-35201 [MEDIUM] CVE-2026-35201 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35201 :
Ruby vulnerability analysis and mitigation
Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. This vulnerability is fixed in 2.2.7.4.
Source : NVD
## 5.9
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected
2026-04-02
Published