Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in addressable-2.5.2.gem

Summary IBM Watson Discovery Cartridge affected by vulnerability in addressable-2.5.2.gem Vulnerability Details CVEID:CVE-2026-35611 DESCRIPTION: Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the...

Rails: Active Support: Active Support: Denial of Service via large scientific notation strings

A flaw was found in Active Support, a toolkit of support libraries for Ruby on Rails. A remote attacker can exploit this vulnerability by providing specially crafted strings containing scientific notation e.g., "1e10000" to number helpers. This input causes the BigDecimal component to expand into...

Unity Linux 20.1060e / 20.1070e Security Update: ruby (UTSA-2026-016521)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016521 advisory. An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data...

GHSA-VCGP-9326-PQCP vulnerabilities

Vulnerabilities for packages: kube-fluentd-operator, ruby4.0-rails, ruby4.0-net-imap, ruby3.2-rails, ruby3.3-net-imap, kube-logging-operator, ruby3.4-net-imap, ruby3.3-rails, ruby3.2-net-imap, logstash, ruby3.4-rails...

GHSA-HM49-WCQC-G2XG vulnerabilities

Vulnerabilities for packages: ruby4.0-rails, ruby4.0-net-imap, ruby3.2-rails, ruby3.3-net-imap, kube-logging-operator, ruby3.4-net-imap, ruby3.3-rails, ruby3.2-net-imap, logstash, ruby3.4-rails...

GHSA-75XQ-5H9V-W6PX vulnerabilities

Vulnerabilities for packages: ruby4.0-rails, ruby4.0-net-imap, ruby3.2-rails, ruby3.3-net-imap, kube-logging-operator, ruby3.4-net-imap, ruby3.3-rails, ruby3.2-net-imap, logstash, ruby3.4-rails...

CVE-2026-42257 vulnerabilities

Vulnerabilities for packages: ruby4.0-rails, ruby4.0-net-imap, ruby3.2-rails, ruby3.3-net-imap, kube-logging-operator, ruby3.4-net-imap, ruby3.3-rails, ruby3.2-net-imap, logstash, ruby3.4-rails...

GHSA-Q2MW-FVJ9-VVCW vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, kube-logging-operator, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, logstash-fips, ruby4.0-rails...

GHSA-75XQ-5H9V-W6PX vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, kube-logging-operator, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, logstash-fips, ruby4.0-rails...

CVE-2026-42256 vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, kube-logging-operator, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, logstash-fips, ruby4.0-rails...

CVE-2026-42258 vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, kube-logging-operator, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, logstash-fips, ruby4.0-rails...

CVE-2026-42257 vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, kube-logging-operator, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, logstash-fips, ruby4.0-rails...

CVE-2026-42245 vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, kube-logging-operator, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, logstash-fips, ruby4.0-rails...

CVE-2026-42246 vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, logstash-fips, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, kube-fluentd-operator, kube-logging-operator, ruby4.0-rails...

GHSA-VCGP-9326-PQCP vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, logstash-fips, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, kube-fluentd-operator, kube-logging-operator, ruby4.0-rails...

GHSA-HM49-WCQC-G2XG vulnerabilities

Vulnerabilities for packages: ruby3.3-net-imap, ruby3.2-net-imap, kube-logging-operator, ruby3.2-rails, logstash, ruby3.3-rails, gitlab-rails-ce, ruby3.4-net-imap, ruby3.4-rails, gitlab-rails-ce-fips, ruby4.0-net-imap, logstash-fips, ruby4.0-rails...

GHSA-3H96-34P3-XM76 GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens

GraphQL-Ruby's maxquerystringtokens configuration didn't count comment tokens against the limit, allowing strings to be processed even after the configured maximum had actually been reached. In patched versions, the Ruby lexer does count these tokens. GraphQL-CParser is not affected by this...

GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens

GraphQL-Ruby's maxquerystringtokens configuration didn't count comment tokens against the limit, allowing strings to be processed even after the configured maximum had actually been reached. In patched versions, the Ruby lexer does count these tokens. GraphQL-CParser is not affected by this...

Allocation of Resources Without Limits or Throttling

Overview graphql is a plain-Ruby implementation of GraphQL. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper counting of comment tokens in the maxquerystringtokens configuration. An attacker can cause excessive resource...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Faspex

Summary Multiple vulnerabilities were addressed in IBM Aspera Faspex 5.0.15.2 Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP reque...