GHSA-P9FM-F462-GGRG vulnerabilities

Vulnerabilities for packages: gitlab-rails-ce-fips, ruby3.4-rails, gitlab-rails-ce...

GHSA-2J22-PR5W-6GQ8 vulnerabilities

Vulnerabilities for packages: ruby3.2-rails, ruby3.4-rails, ruby3.3-rails, ruby4.0-rails...

ROOT-OS-ALPINE-318-CVE-2024-41946 CVE-2024-41946 in rootio-ruby-rexml - Patched by Root

Root has patched CVE-2024-41946 in the rootio-ruby-rexml package for Root:Alpine:3.18. Multiple fixed versions available...

Session Hijacking

MCP Ruby SDK is vulnerable to Session Hijacking. The vulnerability is due to insufficient session binding, where an attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events SSE stream and intercept all real-time data...

Remote Code Execution (RCE)

ruby-lsp is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsanitized interpolation of the rubyLsp.branch setting into a generated Gemfile, which allows an attacker to inject malicious code that executes when a user opens a crafted project...

[SECURITY] Fedora 44 Update: rubygem-json-2.19.2-1.fc44

This is a implementation of the JSON specification according to RFC 4627 in Ruby. You can think of it as a low fat alternative to XML, if you want to store data to disk or transmit it over a network rather than use a verbose markup language...

Linux Distros Unpatched Vulnerability : CVE-2026-33167

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does no...

Linux Distros Unpatched Vulnerability : CVE-2026-33635

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2,...

Fedora 44 : rubygem-json (2026-3a7663d43d)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3a7663d43d advisory. New version 2.19.2 is released. This fixes a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210 Tenable has extract...

Session Fixation

Overview mcp is a The official Ruby SDK for Model Context Protocol servers and clients Affected versions of this package are vulnerable to Session Fixation through the storestreamforsession process in lib/mcp/server/transports/streamablehttptransport.rb. An attacker can intercept all subsequent...

CVE-2026-33946

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

EUVD-2026-16866

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

CVE-2026-33946

The CVE affects the MCP Ruby SDK prior to 0.9.2. In streamable_http_transport.rb, an attacker with a valid session ID can hijack the victim’s SSE stream and intercept real-time data, due to insufficient session binding. Version 0.9.2 patches this. No additional exploit details are provided beyond...

CVE-2026-33946

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

Ruby LSP has arbitrary code execution through branch setting

Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...

GHSA-C4R5-FXQW-VH93 Ruby LSP has arbitrary code execution through branch setting

Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via unsanitized interpolation of the branch setting in the Gemfile generation process. An attacker can execute arbitrary Ruby code by crafting a malicious .vscode/settings.json or equivalent workspace...