Rails Activesupport vulnerabilities
5 known vulnerabilities affecting rails/activesupport.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2026-33176MEDIUMCVSS 6.6v>= 8.1.0.beta1, < 8.1.2.1v>= 8.0.0.beta1, < 8.0.4.1+1 more2026-03-24
CVE-2026-33176 [MEDIUM] CWE-400 CVE-2026-33176: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails f
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive
cvelistv5nvd
CVE-2026-33170MEDIUMCVSS 5.3v>= 8.1.0.beta1, < 8.1.2.1v>= 8.0.0.beta1, < 8.0.4.1+1 more2026-03-24
CVE-2026-33170 [MEDIUM] CWE-79 CVE-2026-33170: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails f
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted argum
cvelistv5nvd
CVE-2026-33169MEDIUMCVSS 6.9v>= 8.1.0.beta1, < 8.1.2.1v>= 8.0.0.beta1, < 8.0.4.1+1 more2026-03-24
CVE-2026-33169 [MEDIUM] CWE-400 CVE-2026-33169: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails f
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce
cvelistv5nvd
CVE-2023-38037MEDIUMCVSS 5.5≥ >= 5.2.0, < >= 5.2.02025-01-09
CVE-2023-38037 [MEDIUM] CWE-732 CVE-2023-38037: ActiveSupport::EncryptedFile writes contents that will be encrypted to a
temporary file. The tempo
ActiveSupport::EncryptedFile writes contents that will be encrypted to a
temporary file. The temporary file's permissions are defaulted to the user's
current `umask` settings, meaning that it's possible for other users on the
same system to read the contents of the temporary file.
Attackers that have access to the file system could possibly read th
cvelistv5nvd
CVE-2023-28120MEDIUMCVSS 5.3≥ 7.0.4.3, < 7.0.4.3≥ 6.1.7.3, < 6.1.7.32025-01-09
CVE-2023-28120 [MEDIUM] CWE-79 CVE-2023-28120: There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer wit
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
cvelistv5nvd