Rubyonrails Rails vulnerabilities

CVE-2026-33195 [HIGH] CWE-22 CVE-2026-33195: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow

CVE-2026-33176 [MEDIUM] CWE-400 CVE-2026-33176: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails f Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive

CVE-2026-33170 [MEDIUM] CWE-79 CVE-2026-33170: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails f Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted argum

CVE-2026-33169 [MEDIUM] CWE-400 CVE-2026-33169: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails f Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce

CVE-2026-33173 [MEDIUM] CWE-925 CVE-2026-33173: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can

CVE-2026-33202 [MEDIUM] CWE-74 CVE-2026-33202: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharact

CVE-2026-33174 [MEDIUM] CWE-789 CVE-2026-33174: Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-

CVE-2024-28103 [MEDIUM] CWE-20 CVE-2024-28103: Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.

CVE-2024-32464 [MEDIUM] CWE-79 CVE-2024-32464: Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::Cont Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.

CVE-2024-26142 [HIGH] CWE-1333 CVE-2024-26142: Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerabi Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

CVE-2024-26144 [MEDIUM] CWE-200 CVE-2024-26144: Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive ses Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an inform

CVE-2024-26143 [MEDIUM] CWE-79 CVE-2024-26143: Rails is a web-application framework. There is a possible XSS vulnerability when using the translati Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptib

CVE-2023-22792 [HIGH] CWE-400 CVE-2023-22792: A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Sp A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to

CVE-2023-22795 [HIGH] CWE-400 CVE-2023-22795: A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and

CVE-2023-22797 [MEDIUM] CWE-601 CVE-2023-22797: An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redire An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an

CVE-2022-23633 [HIGH] CWE-200 CVE-2022-23633: Action Pack is a framework for handling and responding to web requests. Under certain circumstances Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been

CVE-2022-23634 [HIGH] CWE-200 CVE-2022-23634: Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may no Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the

CVE-2021-44528 [MEDIUM] CWE-601 CVE-2021-44528: A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

CVE-2011-1497 [MEDIUM] CWE-79 CVE-2011-1497: A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before versio A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.

CVE-2021-22942 [MEDIUM] CWE-601 CVE-2021-22942: A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.