1255 matches found
iCalendar has ICS injection via unsanitized URI property values
Summary .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. Details Icalendar::Values::Uri falls back to the raw input string when URI.parse fails and later serializes it with...
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Impact When serving files through Active Storage's Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header e.g. bytes=0- could cause the server to allocate memory proportional to the file size,...
httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage
Summary There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. Details When httparty receives a path argument that is an absolute URL, it ignores the baseuri field. As a result, if ...
Insufficient input sanitization in ejson2env
Summary The ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values m...
HTTP Request Smuggling in ruby webrick
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier''s position is "Webri...
Insecure File Permissions vulnerability in kaminari
kaminari versions prior to 0.16.2 are vulnerable to an Insecure File Permissions vulnerability, where certain files within the kaminari gem have insecure file permissions. Versions Affected: = 0.16.2 Impact An attacker with local access could write arbitrary code to the affected files resulting i...
TurboBoost Commands vulnerable to arbitrary method invocation
Impact TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted dependi...
Omniauth::MicrosoftGraph Account takeover (nOAuth)
Summary The implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier...
Decidim Cross-site Scripting vulnerability in the external link redirections
Impact The external link feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of...
Decidim vulnerable to sensitive data disclosure
Note: added the actual report as a comment. Summary Decidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections e.g., public meetings. By default, this library allows filtering on all data attributes and associations...
Spina Cross-site Scripting vulnerability
Cross-site Scripting XSS - Stored in GitHub repository spinacms/spina prior to 2.15.1...
ruby-mysql Client File Read
A malicious MySQL server can request local file content from a client using ruby-mysql prior to version 2.10.0 without explicit authorization from the user. This issue was resolved in version 2.10.0 and later...
Metasploit Framework user exposes Metasploit to same deserialization issue that is exploited by that module
By launching the drbremotecodeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with...
Code injection in publify
Code Injection in GitHub repository publify/publify prior to 9.2.8...
smalruby and smalruby-editor vulnerable to OS Command Injection
smalruby-editor prior to 0.4.1 and smalruby prior to 0.1.11 allows remote attackers to execute arbitrary OS commands via unspecified vectors...
RubyGem openshift-origin-controller is vulnerable to command injection
'rubygem-openshift-origin-controller: API can be used to create applications via cartridgecache.rb URI.prase to perform command injection'...
Heap-based Buffer Overflow in mruby/mruby
Heap-based Buffer Overflow in Homebrew mruby prior to 3.2...
Improper Authorization in Publify
In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow. This happens due to front-end restriction only...
Improper Certificate Validation in TweetStream
TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack...
Heap buffer overflow in OP_ENTER
An issue was discovered in mruby 1.4.1. There is a heap-based buffer over-read associated with OPENTER because a heap-based mrbgems/mruby-fiber/src/fiber.c does not extend the stack in cases of many arguments to fiber...
Auth tag forgery vulnerability with AES-GCM encrypted JWT
Ruby's OpenSSL bindings do not check the length of the supplied authentication tag when decrypting an authenticated encryption mode such as AES-GCM, leaving this up to the authors of a gem/app to implement for properly validating the message. json-jwt was not checking for the authentication tag...
CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses
The mail gem before 2.5.5 for Ruby aka A Really Ruby Mail Library is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring...
HTTPS MitM vulnerability in http.rb
http.rb failed to call the OpenSSL::SSL::SSLSocketpostconnectioncheck method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack...
xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table
xaviershay-dm-rails Gem for Ruby contains a flaw in the execute function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is due to the function exposing sensitive information via the process table. This may allow a local attack to gain access to MySQL credential information...
sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution
sfpagent Gem for Ruby contains a flaw that is triggered as JSONbody input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands...
Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate SQL queries
Fat Free CRM contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the app/controllers/homecontroller.rb script not properly sanitizing user-supplied input to the 'state' parameter or input passed via comments and emails. This may allow a remote attacker to inje...
omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass
omniauth-facebook Gem for Ruby contains a flaw that is due to the application supporting passing the access token via the URL. This may allow a remote attacker to bypass authentication and authenticate as another user...
Sup did not sanitize the content-type of attachments
Sup MUA contains a flaw that is triggered when handling email attachment content. This may allow a context-dependent attacker to execute arbitrary commands...
Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary Ruby Object Instantiation Command Execution
Spree contains a flaw that is triggered when handling input passed via the 'promotionaction' parameter to promotionactionscontroller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands...
Net::IMAP: Command Injection via ID command argument
Summary Two Net::IMAP commands, id and enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon. Details Whe...
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
Impact Puma is vulnerable to source IP spoofing when setremoteaddress proxyprotocol: :v1 is enabled and persistent connections are used. PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, befo...
CVE-2026-46727 - Use-after-free in pthread-based getaddrinfo timeout handler
SUMMARY A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler rbgetaddrinfo in ext/socket/raddrinfo.c allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo..., timeout: o...
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Summary When the Timeoutable module is enabled in Devise, the FailureAppredirecturl method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an...
view_component - Preview Route Can Dispatch Inherited Helper Methods'
The preview route derives an example name from the URL and calls it with publicsend. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The...
net-imap has quadratic complexity when reading response literals
Summary Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. Details For each literal in a response, ResponseReader...
Possible arbitrary path traversal and file access via yard server
Impact A path traversal vulnerability was discovered in YARD = 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch in GHSA-xfhh-rx56-rxcr wa...
Addressable has a Regular Expression Denial of Service in Addressable templates
Impact Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking: 1. Templates using the explode modifier with any expansion operator e.g., foo, +var, var, /var, .var, ;var, ?var, &var generate patterns...
rdiscount has an Out-of-bounds Read
Summary A signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INTMAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. Details In both...
Rails Active Support has a possible DoS vulnerability in its number helpers
Impact Active Support number helpers accept strings containing scientific notation e.g. 1e10000, which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted,...
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Impact NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. Releases The fixed releases are available at the normal locations...
sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest
Summary Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardles...
Buffer overflow vulnerability in Zlib::GzipReader
A buffer overflow vulnerability exists in Zlib::GzipReader. This vulnerability has been assigned the CVE identifier CVE-2026-27820. We recommend upgrading the zlib gem. Details The zstreambufferungets function prepends caller-provided bytes ahead of previously produced output but fails to guarant...
JWE is missing AES-GCM authentication tag validation in encrypted JWE
Overview The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. Impact - JWEs can be modified to decrypt to an arbitrary value - JWEs can be decrypted by observing parsing differences - The...
Thor can construct an unsafe shell command from library input.
Thor before 1.4.0 can construct an unsafe shell command from library input...
ReDoS Vulnerability in Rack::Multipart handle_mime_head
Summary There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Details Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time,...
Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction
Summary A publisher on a publify application is able to perform a cross-site scripting attack on an administrator using the redirect functionality. Details A publisher on a publify application is able to perform a cross-site scripting attack on an administrator using the redirect functionality. T...
Cross Site Scripting vulnerability in Contribsys Sidekiq
Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions...
sidekiq-unique-jobs UI server vulnerable to XSS & RCE in Redis
Cross site scripting XSS potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7. Details Specially crafted URL query parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but...
Publify Improper Input Validation vulnerability
Improper Input Validation in GitHub repository publify/publify prior to 9.2.10...
Integer overflow in publify_core
Integer Overflow or Wraparound in GitHub repository publify/publify prior to 9.2.10 due to an unlimited length user name field...