Ruby on Rails: ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection

A vulnerability was discovered in the ActiveStorage Disk Service component of Ruby on Rails. The vulnerability allowed an attacker to achieve arbitrary file write, read, and delete on the server's filesystem by injecting a malicious blob key. The vulnerability was due to insufficient validation o...

Ubuntu: Security Advisory (USN-8066-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EUVD-2025-208140

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression regex parsing when processing hex numeric character references &x...; in XML documents. This could lead to a Regular Expression Denial of Service ReDoS, impacting the availability of the affected component...

CVE-2025-10990

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression regex parsing when processing hex numeric character references &x...; in XML documents. This could lead to a Regular Expression Denial of Service ReDoS, impacting the availability of the affected component...

CVE-2025-10990

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression regex parsing when processing hex numeric character references &x...; in XML documents. This could lead to a Regular Expression Denial of Service ReDoS, impacting the availability of the affected component...

ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

The North Korean threat actor known as ScarCruft has been attributed to a fresh set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control C2 communications to fetch more payloads and an implant that uses removable media to relay commands and breach air-gapped networks. T...

CVE-2026-0980

A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller BMC component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote...

PT-2025-46138

Name of the Vulnerable Software and Affected Versions REXML affected versions not specified Description A flaw exists in REXML related to inefficient regular expression regex parsing when processing hex numeric character references &x... in XML documents. This can lead to a Regular Expression...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in aws-sdk-s3-1.199.0.gem

Summary IBM Watson Discovery Cartridge affected by vulnerability in aws-sdk-s3-1.199.0.gem Vulnerability Details CVEID:CVE-2025-14762 DESCRIPTION: Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts ...

USN-8066-1 ruby-rack vulnerabilities

Minh Pham Quang discovered that Rack did not correctly handle parsing certain paths, which could lead to a path traversal attack. An attacker could possibly use this issue to leak sensitive information. CVE-2026-22860 Ali Firas discovered that Rack did not correctly sanitize certain inputs. An...

Critical Photon OS Security Update - PHSA-2026-5.0-0777

Updates of 'rubygem-nokogiri' packages of Photon OS have been released...

CVE-2026-27635

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter ...

CVE-2026-27635 Manyfold vulnerable to OS command injection via ZIP filename in f3d render

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter ...

GHSA-WX95-C6CV-8532 vulnerabilities

Vulnerabilities for packages: ruby3.4-rails, ruby3.3-rails, ruby3.2-rails, ruby4.0-rails...

GHSA-WX95-C6CV-8532 vulnerabilities

Vulnerabilities for packages: ruby3.4-rails, ruby3.3-rails, ruby3.2-rails, ruby4.0-rails...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: ruby (UTSA-2026-005361)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005361 advisory. REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to...

MAL-2026-1002 Malicious code in newrubylogger (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d10fd2e8adb621ac6bb3b4cd31357213d90dd17f27cd1f01d5e8e7138686d7c2 The OpenSSF Package Analysis project identified 'newrubylogger' @ 99.9.1 rubygems as malicious. It is considered malicious because: - The packag...

Malicious code in newrubylogger (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d10fd2e8adb621ac6bb3b4cd31357213d90dd17f27cd1f01d5e8e7138686d7c2 The OpenSSF Package Analysis project identified 'newrubylogger' @ 99.9.1 rubygems as malicious. It is considered malicious because: - The packag...

Malicious code in rubocop-vintedmetrics (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis c8e90dd88f71e05719940997342cf6a367387fc68045f091a864d8f8e7e62be8 The OpenSSF Package Analysis project identified 'rubocop-vintedmetrics' @ 9.9.12 rubygems as malicious. It is considered malicious because: - Th...

MAL-2026-996 Malicious code in rubocop-vintedmetrics (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis c8e90dd88f71e05719940997342cf6a367387fc68045f091a864d8f8e7e62be8 The OpenSSF Package Analysis project identified 'rubocop-vintedmetrics' @ 9.9.12 rubygems as malicious. It is considered malicious because: - Th...