Ruby Rack < 2.2.23 / 3.0.x < 3.1.21 / 3.2 < 3.2.6 Multiple Vulnerabilities

The version of the Rack Ruby library installed on the remote host is prior to 2.2.23, prior to 3.1.21, or prior to 3.2.6. It is, therefore, affected by multiple vulnerabilities: - Rack::Utils.getbyteranges parses HTTP Range header without limiting the number of individual byte ranges, leading to...

CVE-2026-34826

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.getbyteranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the...

CVE-2026-34826 Rack: Unbounded Range Count in get_byte_ranges Enables DoS

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.getbyteranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the...

Rack 安全漏洞

Rack is a modular Ruby web server interface developed by Rack authors. Vulnerabilities exist in versions of Rack prior to 2.2.23, 3.1.21, and 3.2.6. These vulnerabilities stem from Rack::Utils.getbyteranges, which does not limit the number of individual byte ranges when parsing HTTP Range headers...

CVE-2026-34784

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...

CVE-2026-34784

Parse Server has a vulnerability where file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on streaming storage adapters (e.g., GridFS). This can let an attacker access files that should be protected by authorization logic. The issue is fixed in vers...

Linux Distros Unpatched Vulnerability : CVE-2026-33658

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy...

CVE-2026-33658

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate C...

DEBIAN-CVE-2026-33658

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate C...

CVE-2026-33658

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate C...

UBUNTU-CVE-2026-33658

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate C...

CVE-2026-33658

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate C...

EUVD-2026-16426

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate C...

SUSE SLES12 Security Update : libsoup (SUSE-SU-2026:0703-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0703-1 advisory. - CVE-2026-0716: improper bounds handling may allow out-of-bounds read bsc1256418. - CVE-2025-4476: null pointer dereference may lead to denial...

SUSE-SU-2026:20649-1 Security update for libsoup

This update for libsoup fixes the following issues: - CVE-2025-32049: denial of service attack to websocket server bsc1240751. - CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests bsc1257398. - CVE-2026-1536: HTTP header injection or response splitting...

SUSE-SU-2026:0703-1 Security update for libsoup

This update for libsoup fixes the following issues: - CVE-2026-0716: improper bounds handling may allow out-of-bounds read bsc1256418. - CVE-2025-4476: null pointer dereference may lead to denial of service bsc1243422. - CVE-2025-32049: denial of Service attack to websocket server bsc1240751. -...

AZL-77889 CVE-2026-2443 affecting package libsoup 3.4.4-12

A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server...

CVE-2026-2443

A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server...

Linux Distros Unpatched Vulnerability : CVE-2026-2443

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may...

CVE-2025-63655

A NULL pointer dereference in the mkhttprangeparse function mkserver/mkhttp.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted HTTP request to the server...