Linux Distros Unpatched Vulnerability : CVE-2026-44587

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the contenttypedenylist check fails to escape regex...

CVE-2026-44587

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In...

DEBIAN-CVE-2026-44587

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In...

UBUNTU-CVE-2026-44587

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In...

CVE-2026-44587 CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In...

CVE-2026-44587

CarrierWave (Ruby) before versions 2.2.7 and 3.1.3 contains a denylisted_content_type bypass: denylist entries are interpolated into a regex without Regexp.quote or a start anchor, so entries like image/svg+xml render the pattern that fails to match the real MIME type (e.g., /image/svg+x/). This ...

CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters

Summary CarrierWave's contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. Note: CarrierWave is aware contenttypedenylist is deprecated for the security reason, but it still used by...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output that allows bypassing of the contenttypedenylist in the denylistedcontenttype? function. An attacker can upload files with MIME types containing unescaped regex metacharacters, including the + in...

GHSA-7G26-2QGJ-CHFG CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters

Summary CarrierWave's contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. Note: CarrierWave is aware contenttypedenylist is deprecated for the security reason, but it still used by...

PT-2026-43454

Name of the Vulnerable Software and Affected Versions CarrierWave versions prior to 2.2.7 CarrierWave versions prior to 3.1.3 Description CarrierWave is a framework used to upload files from Ruby applications. The content type denylist check fails to escape regex metacharacters in string entries,...

CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters

Summary CarrierWave's contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. Note: CarrierWave is aware contenttypedenylist is deprecated for the security reason, but it still used by...

CVE-2026-44587

creationtimestamp| type| source ---|---|--- 2026-05-23 05:40:33+00:00| published-proof-of-concept| https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg 2026-06-17 03:43:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mohfhrsnfp2j...

CVE-2023-49090

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in allowlistedcontenttype? determines Content-Type permissions by performing a partial match. If the...

EUVD-2021-0545

Malware in sbrugna...

EUVD-2021-0552

Malware in sbrugna...

EUVD-2024-1016

Malicious code in bioql PyPI...

EUVD-2023-2969

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2021-21305

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and...

CVE-2024-29034

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value tha...

CVE-2021-21288

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for...