2118 matches found
ruby4.0-rubygem-rails-8.0-8.0.3-1.3 on GA media (moderate)
ruby4.0-rubygem-rails-8.0-8.0.3-1.3 on GA media Announcement ID: openSUSE-SU-2026:10360-1 Rating: moderate Cross-References: CVE-2024-54133 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...
MarkUs 安全漏洞
MarkUs is an open-source Ruby on Rails and React web application used for submitting and grading student assignments. Versions of MarkUs prior to 2.9.4 contained a security vulnerability due to the lack of size or item quantity limits when extracting zip files...
Ruby on Rails: ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection
A vulnerability was discovered in the ActiveStorage Disk Service component of Ruby on Rails. The vulnerability allowed an attacker to achieve arbitrary file write, read, and delete on the server's filesystem by injecting a malicious blob key. The vulnerability was due to insufficient validation o...
CVE-2026-25757 Unauthenticated Spree Commerce users can view completed guest orders by Order ID
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users including names, addresses and phone numbers. This...
Exploit for Path Traversal in Tuzitio Camaleon_Cms
Exploit-for-CVE-2024-46987 Exploit for CVE-2024-46987 usage:...
Decidim 安全漏洞
Decidim is an open-source participatory democracy framework developed using Ruby on Rails. Versions of Decidim from 0.30.0 up to 0.30.4, as well as versions from 0.31.0.rc1 up to 0.31.0, have security vulnerabilities. These vulnerabilities stem from UUID collisions in the private data export...
CVE-2026-23885
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
CVE-2026-23885
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
EUVD-2026-3281
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
CVE-2026-23885
CVE-2026-23885 – AlchemyCMS RCE via eval in ResourcesHelper . The vulnerability affects AlchemyCMS (Ruby on Rails) prior to 7.4.12 and 8.0.3, where the code in Alchemy::ResourcesHelper#resource_url_proxy uses Ruby’s eval() on the value of resource_handler.engine_name. This string is sourced from ...
Exploit for Improper Access Control in Rubyonrails Web_Console
CVE-2015-3...
CVE-2024-41961
Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which...
CVE-2024-39906
A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...
CVE-2026-22588
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
GHSA-R657-RXJC-J557 vulnerabilities
Vulnerabilities for packages: ruby3.3-rails, kube-fluentd-operator, ruby3.3-rack, ruby4.0-rack, ruby3.4-rack, ruby3.2-rack, logstash, ruby3.2-rails, ruby3.4-rails...
CVE-2025-61780 vulnerabilities
Vulnerabilities for packages: ruby3.2-rails, ruby3.3-rails, ruby3.2-rack, ruby4.0-rack, ruby3.4-rack, gitlab-rails-ce, logstash, ruby3.3-rack, kube-fluentd-operator, ruby3.4-rails...