MongoDB Ruby Driver 安全漏洞

The MongoDB Ruby Driver is an open-source Ruby library developed by MongoDB. There is a security vulnerability in the MongoDB Ruby Driver, which may allow arbitrary Ruby code to be executed when processing specially crafted Hash r types...

PT-2026-7435

Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from hash may allow for executing arbitrary Ruby code...

CVE-2025-61594 affecting package ruby for versions less than 3.3.5-7

CVE-2025-61594 affecting package ruby for versions less than 3.3.5-7. A patched version of the package is available...

DEBIAN-CVE-2026-25765

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...

AZL-77631 CVE-2026-25765 affecting package rubygem-faraday 2.7.10-1

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...

CVE-2026-25765

CVE-2026-25765 affects Faraday (an HTTP client abstraction). The vulnerability arises in build_exclusive_url (lib/faraday/connection.rb) which uses URI#merge; protocol-relative URLs (e.g., //evil.com/…) override the base URL’s host, enabling potential SSRF if user-controlled input is passed to ge...

CVE-2026-25757 Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users including names, addresses and phone numbers. This...

CVE-2026-1979

A flaw has been found in mruby up to 3.4.0. This affects the function mrbvmexec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This...

CVE-2025-61594 affecting package ruby for versions less than 3.1.7-4

CVE-2025-61594 affecting package ruby for versions less than 3.1.7-4. A patched version of the package is available...

Exploit for Path Traversal in Tuzitio Camaleon_Cms

Exploit-for-CVE-2024-46987 Exploit for CVE-2024-46987 usage:...

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2026-1227)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2026-1215)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Decidim 安全漏洞

Decidim is an open-source participatory democracy framework developed using Ruby on Rails. Versions of Decidim from 0.30.0 up to 0.30.4, as well as versions from 0.31.0.rc1 up to 0.31.0, have security vulnerabilities. These vulnerabilities stem from UUID collisions in the private data export...

EulerOS 2.0 SP13 : ruby (EulerOS-SA-2026-1227)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fi...

EulerOS 2.0 SP13 : ruby (EulerOS-SA-2026-1215)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fi...

EulerOS Virtualization 2.10.0 : yajl (EulerOS-SA-2026-1204)

According to the versions of the yajl package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes wi...

EulerOS Virtualization 2.10.1 : yajl (EulerOS-SA-2026-1152)

According to the versions of the yajl package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes wi...

CLSA-2026-1769511237 ruby: Fix of 2 CVEs

CVE-2025-61594: fix incomplete fix for CVE-2025-27221 which allowed credential leaks to persist in URI+ CVE-2025-27221: fix credential leak by correctly truncating userinfo...

CVE-2026-1097

The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-1097

The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it...