SUSE CVE-2026-32762

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons...

EUVD-2026-18423

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing...

EUVD-2026-18386

Rack's multipart byte range processing allows denial of service via excessive overlapping ranges...

DEBIAN-CVE-2026-34826

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.getbyteranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the...

CVE-2026-26961 Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

CVE-2026-34230 Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a respon...

Security Bulletin: Multiple vulnerabilities have been addressed in IBM Aspera Shares

Summary Multiple vulnerabilities have been addressed in IBM Aspera Shares Version 1.11.1 Vulnerability Details CVEID:CVE-2025-13916 DESCRIPTION: IBM Aspera Shares uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information CWE:CWE-327: U...

CVE-2025-61770 Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser buffers the entire multipart preamble bytes before the first boundary in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing...

CVE-2025-59830

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its paramslimit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.10.0 Vulnerability Details CVEID:CVE-2025-46727 DESCRIPTION: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, Rack::QueryParser parses query strings and...

Rack has an Unbounded-Parameter DoS in Rack::QueryParser

Summary Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. Details The vulnerability arises because...

UBUNTU-CVE-2024-45614

Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies such as X-Forwarded-For by providing a underscore version of the same header X-ForwardedFor. Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now...

CVE-2024-26141

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the...

DEBIAN-CVE-2023-40175

Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent ...

Denial of Service (DoS)

Overview puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process...

CVE-2013-1190

The C-Series Rack Server component 1.4 in Cisco Unified Computing System UCS does not properly restrict inbound access to ports, which allows remote attackers to cause a denial of service Integrated Management Controller reboot or hang via crafted packets, as demonstrated by nmap, aka Bug ID...

Design/Logic Flaw

The C-Series Rack Server component 1.4 in Cisco Unified Computing System UCS does not properly restrict inbound access to ports, which allows remote attackers to cause a denial of service Integrated Management Controller reboot or hang via crafted packets, as demonstrated by nmap, aka Bug ID...

Cisco Integrated Management Controller Denial of Service Vulnerability

Cisco Unified Computing System UCS C-Series Rack Server version 1.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause the Cisco Integrated Management Controller CIMC, which is used for management/monitoring of the Cisco UCS Rack Server, to stop responding or a...

CVE-2013-1190

The C-Series Rack Server component 1.4 in Cisco Unified Computing System UCS does not properly restrict inbound access to ports, which allows remote attackers to cause a denial of service Integrated Management Controller reboot or hang via crafted packets, as demonstrated by nmap, aka Bug ID...

CVE-2013-1190

The CVE-2013-1190 issue affects Cisco UCS C-Series Rack Server component 1.4. The root cause is a failure to restrict inbound connections to certain ports, allowing an unauthenticated remote attacker to cause the Cisco Integrated Management Controller (CIMC) to stop responding or reboot via craft...