14707 matches found
CVE-2026-59861
Kiota Ruby generator vulnerability (CVE-2026-59861): Before version 1.32.0, the Ruby code generator embedded OpenAPI-derived strings into Ruby double-quoted literals without escaping interpolation markers (# {expr}, #$var, #@var). This allowed attacker-controlled interpolations to inject arbitrar...
Ruby Dragonfly <1.4.0 - Remote Code Execution
Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verifyurl option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishand...
Ruby On Rails - Local File Inclusion
Ruby On Rails is vulnerable to local file inclusion caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server. id: CVE-2018-3760 info: name: Ruby On Rails - Local File Inclusio...
Ruby on Rails - Open Redirect via Host Header Injection
Ruby on Rails action pack before 6.1.2.1, 6.0.3.5 contains an open redirect caused by special crafted Host headers in combination with allowed host formats, letting attackers redirect users to malicious websites, exploit requires attacker to control Host headers. id: CVE-2021-22881 info: name: Ru...
Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on depending on the permissions of the underlying filesystem. E.g. This can lead to a remote...
Ruby on Rails Web Console - Remote Code Execution
Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelistedips protection mechanism via a crafted request to request.rb...
Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update
An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: ruby3.3: ruby3.3-3.3.10-23.4.hum1 aarch64, x8664 ruby3.3-bundled-gems-3.3.10-23.4.hum1 aarch64, x8664 ruby3.3-default-gems-3.3.10-23.4.hum1 noarch ruby3.3-devel-3.3.10-23.4.hum1 aarch64, x8664...
CVE-2026-45363
ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token because OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key and no empty-key...
CVE-2026-45363
CVE-2026-45363 affects the ruby-jwt gem (Ruby implementation of JWT). Prior to versions 2.10.3 and 3.2.0, JWT.decode(token, '', true, algorithm: 'HS256') can accept attacker-forged tokens because OpenSSL::HMAC.digest('SHA256', '', payload) yields a valid digest with an empty key, and empty-key pa...
CVE-2026-45363 `jwt` (Ruby gem) - empty-key HMAC bypass
ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token because OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key and no empty-key...
Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update
An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: ruby3.4: ruby3.4-3.4.10-31.hum1 aarch64, x8664 ruby3.4-bundled-gems-3.4.10-31.hum1 aarch64, x8664 ruby3.4-default-gems-3.4.10-31.hum1 noarch ruby3.4-devel-3.4.10-31.hum1 aarch64, x8664...
net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS
A flaw was found in the Ruby net-imap library. When upgrading a cleartext IMAP connection to TLS using the Net::IMAPstarttls method, the library improperly handles certain responses received during STARTTLS negotiation. A man-in-the-middle MITM attacker can inject a predicted tagged OK response...
ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses
A flaw was found in Net::IMAP, a Ruby library implementing the Internet Message Access Protocol IMAP client functionality. A hostile server can exploit a quadratic time complexity issue in the Net::IMAP::ResponseReader when processing large responses containing numerous string literals. This can...
RHSA-2026:37397 Red Hat Security Advisory: ruby security update
Bulletin has no description...
RHSA-2026:37238 Red Hat Security Advisory: ruby:3.3 security update
Bulletin has no description...
MiracleLinux 8 : ruby:3.3 (AXSA:2026-1246:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-1246:01 advisory. ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses CVE-2026-42245 ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via...
net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS
A flaw was found in the Ruby net-imap library. When upgrading a cleartext IMAP connection to TLS using the Net::IMAPstarttls method, the library improperly handles certain responses received during STARTTLS negotiation. A man-in-the-middle MITM attacker can inject a predicted tagged OK response...
ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments
A flaw was found in Net::IMAP, a Ruby library that provides Internet Message Access Protocol IMAP client functionality. This vulnerability allows a remote attacker to inject arbitrary IMAP commands. This is achieved by passing specially crafted symbol arguments to IMAP commands. Successful...
Important: Red Hat Security Advisory: ruby security update
An update for ruby is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...
OESA-2026-2968 rubygem-faraday security update
HTTP/REST API client library Security Fixes: Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a...