Lucene search
K

120 matches found

RedhatCVE
RedhatCVE
added 2026/03/24 10:2 a.m.9 views

CVE-2026-33170

A flaw was found in Active Support, a toolkit of support libraries for the Rails framework. When a SafeBuffer is modified in place and subsequently formatted with untrusted input, the @htmlunsafe flag is not correctly propagated. This improper handling causes the buffer to incorrectly report as...

6.1CVSS5.8AI score0.00327EPSS
Exploits0References10
Snyk
Snyk
added 2026/03/24 12:32 a.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in debug exceptions, which use ERB escaping. An attacker can execute JavaScript in the context of the affected application by triggering a malicious exception message that is rendered bypassing the intended...

6.1CVSS5.7AI score0.00401EPSS
Exploits0References2
OSV
OSV
added 2026/03/24 12:16 a.m.12 views

UBUNTU-CVE-2026-33170

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

6.1CVSS5.8AI score0.00327EPSS
Exploits0References9
OSV
OSV
added 2026/03/23 11:9 p.m.5 views

CVE-2026-33170 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

5.3CVSS5.9AI score0.00327EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/03/23 8:53 p.m.6 views

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and then formatted with % using untrusted arguments, the result incorrectly reports htmlsafe? == true, bypassing ERB auto-escaping and possibly leading to XSS...

6.1CVSS6.1AI score0.00327EPSS
Exploits0References10Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/23 12:0 a.m.4 views

PT-2026-27257

Name of the Vulnerable Software and Affected Versions Active Support versions prior to 8.1.2.1 Active Support versions prior to 8.0.4.1 Active Support versions prior to 7.2.3.1 Description The SafeBuffer% function does not correctly propagate the @html unsafe flag to newly created buffers. If a...

6.1CVSS6.1AI score0.00327EPSS
Exploits0References21
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2021-1326

Malware in sbrugna...

7.4CVSS6.9AI score0.01433EPSS
Exploits0References8
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/08/14 6:52 p.m.4 views

Malicious code in erb-mux (npm)

The package erb-mux was found to contain malicious code...

7AI score
Exploits0
OSV
OSV
added 2025/08/14 6:52 p.m.4 views

MAL-2025-19761 Malicious code in erb-mux (npm)

The package erb-mux was found to contain malicious code...

7.2AI score
Exploits0
Snyk
Snyk
added 2024/04/26 10:19 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the substr parameter, which is output in the metrics.erb view of the Web UI without encoding. This reflected cross-site scripting attack can target users of the victim application or others hosted on the sam...

6.5CVSS5.2AI score0.00594EPSS
Exploits0References2
OSV
OSV
added 2024/02/29 12:0 a.m.15 views

UBUNTU-CVE-2024-27285

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting XSS attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in...

6.1CVSS7.1AI score0.0106EPSS
Exploits1References9
OSV
OSV
added 2024/02/28 8:15 p.m.4 views

DEBIAN-CVE-2024-27285

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting XSS attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in...

6.1CVSS6.5AI score0.0106EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2024/02/28 12:0 a.m.4 views

PT-2024-21793 · Yard +4 · Yard +4

Name of the Vulnerable Software and Affected Versions: YARD versions prior to 0.9.36 Description: The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting XSS attacks due to inadequate sanitization of user input within the JavaScript segment of th...

7.5CVSS6.9AI score0.02894EPSS
Exploits1References41
Wordfence Blog
Wordfence Blog
added 2023/12/07 8:21 p.m.30 views

Vulnerability Researchers: Check out The Critical Thinking Podcast

Today, The Wordfence Bug Bounty Program was featured on an episode of the Critical Thinking Podcast, a top resource and community for bug bounty researchers. Critical Thinking is a podcast focused on ethical hacking and security analysis and is described as a “by Hackers for Hackers podcast focus...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2022/07/29 9:46 p.m.59 views

Ruby on Rails: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)

While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability suggested that this should fix it see here:...

5.8CVSS6.1AI score0.29316EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2021/07/08 9:35 a.m.76 views

CVE-2021-32723

A flaw was found in npm-prismjs. An attacker can craft a string that will take a very long time to highlight when used to work with un-trusted text resulting in ReDoS. This can affect the system availability. There is no known risk of privilege escalation on data compromise. Mitigation As a...

7.4CVSS2.2AI score0.01433EPSS
Exploits0References4
OSV
OSV
added 2021/06/28 8:15 p.m.16 views

CVE-2021-32723

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service ReDoS. When Prism is used to highlight untrusted user-given text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fix...

6.5CVSS6.3AI score
Exploits0References4
Prion
Prion
added 2021/06/28 8:15 p.m.20 views

Design/Logic Flaw

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service ReDoS. When Prism is used to highlight untrusted user-given text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fix...

4.3CVSS6.5AI score0.01433EPSS
Exploits0References4Affected Software2
Cvelist
Cvelist
added 2021/06/28 7:15 p.m.29 views

CVE-2021-32723 Regular Expression Denial of Service (ReDoS) in Prism

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service ReDoS. When Prism is used to highlight untrusted user-given text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fix...

7.4CVSS7.7AI score0.01433EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2021/06/28 6:33 p.m.59 views

Regular Expression Denial of Service (ReDoS) in Prism

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service ReDoS. Impact When Prism is used to highlight untrusted user-given text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted...

7.4CVSS1.5AI score0.01433EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder