CVE-2026-33202
CVE-2026-33202 (Rails Active Storage) : The DiskService#delete_prefixed path in Active Storage passes blob keys directly to Dir.glob without escaping glob metacharacters. If attacker-controlled blob keys include characters like * or ?, an attacker could delete unintended files in the storage dire...