Lucene search
+L

14707 matches found

cve
cve
added yesterday8 views

CVE-2026-59861

Kiota Ruby generator vulnerability (CVE-2026-59861): Before version 1.32.0, the Ruby code generator embedded OpenAPI-derived strings into Ruby double-quoted literals without escaping interpolation markers (# {expr}, #$var, #@var). This allowed attacker-controlled interpolations to inject arbitrar...

7.5CVSS6.2AI score
Exploits0References4
nuclei
nuclei
added yesterday77 views

Ruby Dragonfly <1.4.0 - Remote Code Execution

Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verifyurl option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishand...

9.8CVSS7.2AI score0.72249EPSS
Exploits4References5
nuclei
nuclei
added yesterday124 views

Ruby On Rails - Local File Inclusion

Ruby On Rails is vulnerable to local file inclusion caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server. id: CVE-2018-3760 info: name: Ruby On Rails - Local File Inclusio...

7.5CVSS7AI score0.26717EPSS
Exploits2References5
nuclei
nuclei
added yesterday27 views

Ruby on Rails - Open Redirect via Host Header Injection

Ruby on Rails action pack before 6.1.2.1, 6.0.3.5 contains an open redirect caused by special crafted Host headers in combination with allowed host formats, letting attackers redirect users to malicious websites, exploit requires attacker to control Host headers. id: CVE-2021-22881 info: name: Ru...

6.1CVSS6.6AI score0.87301EPSS
Exploits1References2
nuclei
nuclei
added yesterday169 views

Camaleon CMS < 2.8.1 Arbitrary File Write to RCE

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on depending on the permissions of the underlying filesystem. E.g. This can lead to a remote...

9.9CVSS6.5AI score0.35461EPSS
Exploits2References5
nuclei
nuclei
added yesterday77 views

Ruby on Rails Web Console - Remote Code Execution

Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelistedips protection mechanism via a crafted request to request.rb...

4.3CVSS6.2AI score0.44984EPSS
Exploits6References5
redhat
redhat
added 2 days ago6 views

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: ruby3.3: ruby3.3-3.3.10-23.4.hum1 aarch64, x8664 ruby3.3-bundled-gems-3.3.10-23.4.hum1 aarch64, x8664 ruby3.3-default-gems-3.3.10-23.4.hum1 noarch ruby3.3-devel-3.3.10-23.4.hum1 aarch64, x8664...

9.8CVSS6.1AI score0.00491EPSS
Exploits0References6
nvd
nvd
added 3 days ago5 views

CVE-2026-45363

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token because OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key and no empty-key...

9.1CVSS0.00242EPSS
Exploits0References5
cve
cve
added 3 days ago37 views

CVE-2026-45363

CVE-2026-45363 affects the ruby-jwt gem (Ruby implementation of JWT). Prior to versions 2.10.3 and 3.2.0, JWT.decode(token, '', true, algorithm: 'HS256') can accept attacker-forged tokens because OpenSSL::HMAC.digest('SHA256', '', payload) yields a valid digest with an empty key, and empty-key pa...

9.1CVSS6.9AI score0.00242EPSS
Exploits0References5
cvelist
cvelist
added 3 days ago39 views

CVE-2026-45363 `jwt` (Ruby gem) - empty-key HMAC bypass

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token because OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key and no empty-key...

9.1CVSS0.00242EPSS
Exploits0References5
redhat
redhat
added 4 days ago5 views

Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: ruby3.4: ruby3.4-3.4.10-31.hum1 aarch64, x8664 ruby3.4-bundled-gems-3.4.10-31.hum1 aarch64, x8664 ruby3.4-default-gems-3.4.10-31.hum1 noarch ruby3.4-devel-3.4.10-31.hum1 aarch64, x8664...

9.8CVSS6.1AI score0.00429EPSS
Exploits0References7
redhat
redhat
added 4 days ago3 views

net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS

A flaw was found in the Ruby net-imap library. When upgrading a cleartext IMAP connection to TLS using the Net::IMAPstarttls method, the library improperly handles certain responses received during STARTTLS negotiation. A man-in-the-middle MITM attacker can inject a predicted tagged OK response...

7.6CVSS6AI score0.00324EPSS
Exploits0References12
redhat
redhat
added 4 days ago4 views

ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses

A flaw was found in Net::IMAP, a Ruby library implementing the Internet Message Access Protocol IMAP client functionality. A hostile server can exploit a quadratic time complexity issue in the Net::IMAP::ResponseReader when processing large responses containing numerous string literals. This can...

7.5CVSS6AI score0.0041EPSS
Exploits0References11
osv
osv
added last week3 views

RHSA-2026:37397 Red Hat Security Advisory: ruby security update

Bulletin has no description...

7.4CVSS6.1AI score0.00813EPSS
Exploits0References21
osv
osv
added last week1 views

RHSA-2026:37238 Red Hat Security Advisory: ruby:3.3 security update

Bulletin has no description...

8.1CVSS6.1AI score0.01131EPSS
Exploits0References34
nessus
nessus
added 2026/07/10 12:0 a.m.7 views

MiracleLinux 8 : ruby:3.3 (AXSA:2026-1246:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-1246:01 advisory. ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses CVE-2026-42245 ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via...

7.6CVSS6.2AI score0.00813EPSS
Exploits0References4
redhat
redhat
added 2026/07/09 5:43 p.m.5 views

net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS

A flaw was found in the Ruby net-imap library. When upgrading a cleartext IMAP connection to TLS using the Net::IMAPstarttls method, the library improperly handles certain responses received during STARTTLS negotiation. A man-in-the-middle MITM attacker can inject a predicted tagged OK response...

7.6CVSS5.8AI score0.00324EPSS
Exploits0References12
redhat
redhat
added 2026/07/09 5:43 p.m.6 views

ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments

A flaw was found in Net::IMAP, a Ruby library that provides Internet Message Access Protocol IMAP client functionality. This vulnerability allows a remote attacker to inject arbitrary IMAP commands. This is achieved by passing specially crafted symbol arguments to IMAP commands. Successful...

7.1CVSS6.1AI score0.00813EPSS
Exploits0References8
redhat
redhat
added 2026/07/09 5:43 p.m.6 views

Important: Red Hat Security Advisory: ruby security update

An update for ruby is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

7.6CVSS6AI score0.00813EPSS
Exploits0References3
osv
osv
added 2026/07/09 12:55 p.m.3 views

OESA-2026-2968 rubygem-faraday security update

HTTP/REST API client library Security Fixes: Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a...

7.5CVSS6.2AI score0.00391EPSS
Exploits1References3
Rows per page
Query Builder