GHSA-89VF-4333-QX8V Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and then formatted with % using untrusted arguments, the result incorrectly reports htmlsafe? == true, bypassing ERB auto-escaping and possibly leading to XSS...

GHSA-3M6G-2423-7CP3 vulnerabilities

Vulnerabilities for packages: ruby4.0-fluentd-kubernetes-daemonset, ruby3.4-rails, ruby3.2-rails, ruby3.3-rails, ruby3.3-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset, ruby4.0-rails, ruby3.2-fluentd-kubernetes-daemonset, logstash, ruby, cinc-auditor...

GHSA-3M6G-2423-7CP3 vulnerabilities

Vulnerabilities for packages: gitlab-cng, ruby3.4-fluentd-kubernetes-daemonset, ruby3.3-rails, cinc-auditor, ruby, ruby3.2-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, logstash, ruby3.4-rails, ruby3.2-rails, ruby4.0-fluentd-kubernetes-daemonset, ruby4.0-rails...

CVE-2026-33210

A flaw was found in Ruby JSON. This vulnerability, a format string injection, allows a remote attacker to cause a denial of service DoS or disclose sensitive information. The flaw occurs when processing specially crafted user-supplied documents with the allowduplicatekey: false parsing option...

Debian: Security Advisory (DLA-4505-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

DLA-4505-1 ruby-rack - security update

Bulletin has no description...

PT-2026-27256

Name of the Vulnerable Software and Affected Versions Active Support versions prior to 8.1.2.1 Active Support versions prior to 8.0.4.1 Active Support versions prior to 7.2.3.1 Description The NumberToDelimitedConverter component utilizes a regular expression with gsub! to insert thousands...

[SECURITY] [DLA 4505-1] ruby-rack security update

----------------------------------------------------------------------- Debian LTS Advisory DLA-4505-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta March 23, 2026 https://wiki.debian.org/LTS -...

Linux Distros Unpatched Vulnerability : CVE-2026-33306

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation...

Debian dla-4505 : ruby-rack - security update

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4505 advisory. - ----------------------------------------------------------------------- Debian LTS Advisory DLA-4505-1 [email protected]...

Integer Overflow

bcrypt-ruby is vulnerable to Integer Overflow. The vulnerability is due to an integer overflow in the Java BCrypt implementation for JRuby, where the key-strengthening round count is computed as a signed 32-bit integer, and when cost=31, signed integer overflow causes the round count to become...

Format String Injection

Ruby JSON is vulnerable to Format String Injection. The vulnerability is due to a format string injection vulnerability, where the allowduplicatekey: false parsing option is used to parse user supplied documents and can lead to denial of service attacks or information disclosure...

Linux Distros Unpatched Vulnerability : CVE-2026-33210

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can...

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

UBUNTU-CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210 Ruby JSON has a format string injection vulnerability

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210

The connected advisory (GHSA-3M6G-2423-7CP3) describes a format string injection vulnerability in Ruby JSON that can cause denial of service or information disclosure when parsing documents with allow_duplicate_key: false. This option is not the default, so impact depends on opting in. The issue ...

CVE-2026-33210 Ruby JSON has a format string injection vulnerability

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...