2118 matches found
GHSA-8VQR-QJWX-82MW vulnerabilities
Vulnerabilities for packages: pact-broker-docker-fips, ruby3.2-rack, ruby3.4-rails, ruby4.0-rack, pact-broker-docker, ruby3.4-rack, gitlab-cng, gitlab-rails-ce-fips, kube-fluentd-operator, gitlab-rails-ce, logstash, ruby3.2-rails, ruby3.3-rack...
GHSA-2J22-PR5W-6GQ8 vulnerabilities
Vulnerabilities for packages: ruby3.4-rails...
Linux Distros Unpatched Vulnerability : CVE-2026-33167
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does no...
CVE-2026-33209
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting XSS vulnerability exists in the returnto query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is execute...
CVE-2026-33168 vulnerabilities
Vulnerabilities for packages: gitlab-rails-ce-fips, ruby3.4-rails, ruby3.2-rails, gitlab-rails-ce...
CVE-2026-33173 vulnerabilities
Vulnerabilities for packages: gitlab-rails-ce-fips, ruby3.4-rails, ruby3.2-rails, gitlab-rails-ce...
CVE-2026-33174 vulnerabilities
Vulnerabilities for packages: ruby3.2-rails, ruby3.4-rails...
CVE-2026-33173 vulnerabilities
Vulnerabilities for packages: ruby3.2-rails, ruby3.4-rails...
GHSA-QCFX-2MFW-W4CG vulnerabilities
Vulnerabilities for packages: ruby3.2-rails, ruby3.4-rails...
SUSE CVE-2026-33167
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page,...
SUSE CVE-2026-33169
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. NumberToDelimitedConverter uses a lookahead-based regular expression with gsub! to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between th...
SUSE CVE-2026-33170
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...
CVE-2026-33176
A flaw was found in Active Support, a toolkit of support libraries for Ruby on Rails. A remote attacker can exploit this vulnerability by providing specially crafted strings containing scientific notation e.g., "1e10000" to number helpers. This input causes the BigDecimal component to expand into...
UBUNTU-CVE-2026-33202
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled inp...
UBUNTU-CVE-2026-33174
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request...
CVE-2026-33168
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefull...
CVE-2026-33167
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page,...
CVE-2026-33209
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting XSS vulnerability exists in the returnto query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is execute...
CVE-2026-33209 Avo has a XSS vulnerability on `return_to` param
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting XSS vulnerability exists in the returnto query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is execute...
Avo 跨站脚本漏洞
Avo is an open-source Ruby on Rails management panel framework developed by Avo itself. Versions of Avo prior to 3.30.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the returnto query parameter in the Avo interface, which allowed reflective cross-site scripting...