<![CDATA[RubySec]]>

<![CDATA[RubySec]]> 2026-03-30T15:44:17+00:00 https://rubysec.com/ Jekyll <![CDATA[CVE-2026-34060 (ruby-lsp): Ruby LSP has arbitrary code execution through branch setting]]> https://rubysec.com/advisories/CVE-2026-34060 2026-03-27T00:00:00+00:00 = 0.10.2. The `branch` CLI flag was also entirely removed from the `ruby-lsp` gem. For users that don't add `ruby-lsp` to their Gemfiles, the server should auto-update. Users with the `ruby-lsp` in the Gemfile and locked to a specific version should update to >= 0.26.9. ]]> <![CDATA[CVE-2026-33946 (mcp): MCP Ruby SDK - Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay]]> https://rubysec.com/advisories/CVE-2026-33946 2026-03-27T00:00:00+00:00 <![CDATA[CVE-2026-33658 (activestorage): Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests]]> https://rubysec.com/advisories/CVE-2026-33658 2026-03-25T00:00:00+00:00 <![CDATA[CVE-2026-33635 (icalendar): iCalendar has ICS injection via unsanitized URI property values]]> https://rubysec.com/advisories/CVE-2026-33635 2026-03-24T00:00:00+00:00 <![CDATA[CVE-2026-33286 (graphiti): Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names]]> https://rubysec.com/advisories/CVE-2026-33286 2026-03-20T00:00:00+00:00 <![CDATA[CVE-2026-33306 (bcrypt): bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby]]> https://rubysec.com/advisories/CVE-2026-33306 2026-03-19T00:00:00+00:00 <![CDATA[CVE-2026-33210 (json): Ruby JSON has a format string injection vulnerability]]> https://rubysec.com/advisories/CVE-2026-33210 2026-03-19T00:00:00+00:00 <![CDATA[GHSA-46fp-8f5p-pf2m (loofah): Improper detection of disallowed URIs by Loofah `allowed_uri?`]]> https://rubysec.com/advisories/GHSA-46fp-8f5p-pf2m 2026-03-18T00:00:00+00:00 = `2.25.1`. ## Credit Responsibly reported by HackOne user `@smlee`. ]]> <![CDATA[CVE-2026-33209 (avo): Avo has a XSS vulnerability on `return_to` param]]> https://rubysec.com/advisories/CVE-2026-33209 2026-03-18T00:00:00+00:00 <![CDATA[CVE-2026-4324 (katello): Katello - Denial of Service and potential information disclosure via SQL injection']]> https://rubysec.com/advisories/CVE-2026-4324 2026-03-17T00:00:00+00:00 <![CDATA[GHSA-57hq-95w6-v4fc (devise): Confirmable "change email" race condition permits user to confirm email they have no access to]]> https://rubysec.com/advisories/GHSA-57hq-95w6-v4fc 2026-03-16T00:00:00+00:00 <![CDATA[CVE-2026-32700 (devise): Confirmable "change email" race condition permits user to confirm email they have no access to]]> https://rubysec.com/advisories/CVE-2026-32700 2026-03-16T00:00:00+00:00 <![CDATA[GHSA-qmpg-8xg6-ph5q (action_text-trix): Trix has a Stored XSS vulnerability through serialized attributes]]> https://rubysec.com/advisories/GHSA-qmpg-8xg6-ph5q 2026-03-12T00:00:00+00:00 <![CDATA[CVE-2026-31830 (sigstore): sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest]]> https://rubysec.com/advisories/CVE-2026-31830 2026-03-11T00:00:00+00:00 <![CDATA[CVE-2026-1776 (camaleon_cms): Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation]]> https://rubysec.com/advisories/CVE-2026-1776 2026-03-10T00:00:00+00:00 <![CDATA[CVE-2026-27820 (zlib): Buffer overflow vulnerability in Zlib::GzipReader]]> https://rubysec.com/advisories/CVE-2026-27820 2026-03-05T00:00:00+00:00 = 3.2.3" to your Gemfile. ## Affected versions: zlib gem 3.2.2 or lower ## Credits Thanks to calysteon for reporting this issue. Also thanks to nobu for creating the patch. ]]> <![CDATA[CVE-2026-0980 (rubyipmi): rubyipmi is vulnerable to OS Command Injection through malicious usernames]]> https://rubysec.com/advisories/CVE-2026-0980 2026-02-27T00:00:00+00:00 <![CDATA[GHSA-wx95-c6cv-8532 (nokogiri): Nokogiri does not check the return value from xmlC14NExecute]]> https://rubysec.com/advisories/GHSA-wx95-c6cv-8532 2026-02-18T00:00:00+00:00 = 1.19.1`. ## Severity The maintainers have assessed this as **Medium** severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References). ## Credit This vulnerability was responsibly reported by HackerOne researcher `d4d`. ]]> <![CDATA[CVE-2026-25500 (rack): Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href]]> https://rubysec.com/advisories/CVE-2026-25500 2026-02-17T00:00:00+00:00 %s ``` The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL: ```html javascript:alert(1) ``` Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application. ## Impact If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`. When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry). ## Mitigation * Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`). * Avoid exposing user-controlled directories via `Rack::Directory`. * Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues. * Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.]]> <![CDATA[CVE-2026-22860 (rack): Rack has a Directory Traversal via Rack:Directory]]> https://rubysec.com/advisories/CVE-2026-22860 2026-02-17T00:00:00+00:00