SUSE CVE-2026-32762

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons...

SUSE CVE-2026-34827

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parserhandlemimehead parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated Stringindex searches combined with...

EUVD-2026-18423

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing...

DEBIAN-CVE-2026-34835

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...

CVE-2026-34829

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfe...

CVE-2026-34785 Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with...

PT-2026-29810

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 Description Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If the root path contains regex metacharacters su...

PT-2026-1894

Name of the Vulnerable Software and Affected Versions shinetheme Traveler versions through 3.2.6 Description The software contains a missing authorization issue related to incorrectly configured access control security levels. This allows for potential exploitation of the system. Recommendations...

EUVD-2025-201991

Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through = 3.2.6...

WordPress StaffList plugin <= 3.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Ivan Cese in WordPress Plugin StaffList versions = 3.2.6...

PT-2025-1546 · WordPress · Themefic Ultimate Addons For Contact Form 7

Name of the Vulnerable Software and Affected Versions: Themefic Ultimate Addons for Contact Form 7 versions 3.2.6 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. Recommendations:...

PT-2024-30544 · Snowflake · Snowflake Jdbc Driver

Name of the Vulnerable Software and Affected Versions: Snowflake JDBC driver versions = 3.2.6 and = 3.2.6 and = 3.19.1, upgrade to version 3.20.0 or later as soon as possible to fix the incorrect security setting. As a temporary workaround, consider avoiding the use of the CLIENT ENCRYPTION KEY...

CVE-2024-31293

Cross-Site Request Forgery CSRF vulnerability in Easy Digital Downloads.This issue affects Easy Digital Downloads: from n/a through 3.2.6...

SUSE CVE-2014-8994

The checkdiskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name tmp/checkdiskiostatus--...