Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/ruby-rack@3.2.6-2
Typedeb
Namespacedebian
Nameruby-rack
Version3.2.6-2
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-1j61-5e8x-7fbd
vulnerability_id VCID-1j61-5e8x-7fbd
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34829.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34829.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34829
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12659
published_at 2026-04-04T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.1247
published_at 2026-04-07T12:55:00Z
2
value 0.00054
scoring_system epss
scoring_elements 0.17041
published_at 2026-04-12T12:55:00Z
3
value 0.00054
scoring_system epss
scoring_elements 0.17088
published_at 2026-04-11T12:55:00Z
4
value 0.00054
scoring_system epss
scoring_elements 0.17112
published_at 2026-04-09T12:55:00Z
5
value 0.00054
scoring_system epss
scoring_elements 0.17054
published_at 2026-04-08T12:55:00Z
6
value 0.00054
scoring_system epss
scoring_elements 0.16916
published_at 2026-04-16T12:55:00Z
7
value 0.00054
scoring_system epss
scoring_elements 0.1698
published_at 2026-04-13T12:55:00Z
8
value 0.0006
scoring_system epss
scoring_elements 0.18643
published_at 2026-04-21T12:55:00Z
9
value 0.0006
scoring_system epss
scoring_elements 0.18624
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34829
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34829
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34829
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34829
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34829
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454488
reference_id 2454488
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454488
7
reference_url https://github.com/advisories/GHSA-8vqr-qjwx-82mw
reference_id GHSA-8vqr-qjwx-82mw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8vqr-qjwx-82mw
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw
reference_id GHSA-8vqr-qjwx-82mw
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:41:27Z/
url https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34829, GHSA-8vqr-qjwx-82mw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1j61-5e8x-7fbd
1
url VCID-2p73-rc9t-rudb
vulnerability_id VCID-2p73-rc9t-rudb
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34831
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.07801
published_at 2026-04-04T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.0776
published_at 2026-04-07T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.10738
published_at 2026-04-12T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.1077
published_at 2026-04-11T12:55:00Z
4
value 0.00036
scoring_system epss
scoring_elements 0.10755
published_at 2026-04-09T12:55:00Z
5
value 0.00036
scoring_system epss
scoring_elements 0.10699
published_at 2026-04-08T12:55:00Z
6
value 0.00036
scoring_system epss
scoring_elements 0.10578
published_at 2026-04-16T12:55:00Z
7
value 0.00036
scoring_system epss
scoring_elements 0.10714
published_at 2026-04-13T12:55:00Z
8
value 0.00038
scoring_system epss
scoring_elements 0.11443
published_at 2026-04-21T12:55:00Z
9
value 0.00038
scoring_system epss
scoring_elements 0.11321
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34831
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34831
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:43:52Z/
url https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34831
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34831
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454504
reference_id 2454504
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454504
8
reference_url https://github.com/advisories/GHSA-q2ww-5357-x388
reference_id GHSA-q2ww-5357-x388
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q2ww-5357-x388
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34831, GHSA-q2ww-5357-x388
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2p73-rc9t-rudb
2
url VCID-2qba-a6bp-ryak
vulnerability_id VCID-2qba-a6bp-ryak
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34785.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34785.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34785
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.08839
published_at 2026-04-04T12:55:00Z
1
value 0.00031
scoring_system epss
scoring_elements 0.08773
published_at 2026-04-07T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12361
published_at 2026-04-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12399
published_at 2026-04-11T12:55:00Z
4
value 0.00041
scoring_system epss
scoring_elements 0.12391
published_at 2026-04-09T12:55:00Z
5
value 0.00041
scoring_system epss
scoring_elements 0.12341
published_at 2026-04-08T12:55:00Z
6
value 0.00041
scoring_system epss
scoring_elements 0.12223
published_at 2026-04-16T12:55:00Z
7
value 0.00041
scoring_system epss
scoring_elements 0.12323
published_at 2026-04-13T12:55:00Z
8
value 0.00043
scoring_system epss
scoring_elements 0.13017
published_at 2026-04-21T12:55:00Z
9
value 0.00043
scoring_system epss
scoring_elements 0.12919
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34785
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34785
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34785
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34785
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34785
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454486
reference_id 2454486
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454486
7
reference_url https://github.com/advisories/GHSA-h2jq-g4cq-5ppq
reference_id GHSA-h2jq-g4cq-5ppq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h2jq-g4cq-5ppq
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
reference_id GHSA-h2jq-g4cq-5ppq
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:58:57Z/
url https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34785, GHSA-h2jq-g4cq-5ppq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2qba-a6bp-ryak
3
url VCID-5twm-pqc2-xyfn
vulnerability_id VCID-5twm-pqc2-xyfn
summary Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34835.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34835.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34835
reference_id
reference_type
scores
0
value 0.00064
scoring_system epss
scoring_elements 0.19887
published_at 2026-04-07T12:55:00Z
1
value 0.00064
scoring_system epss
scoring_elements 0.20158
published_at 2026-04-04T12:55:00Z
2
value 0.00103
scoring_system epss
scoring_elements 0.28063
published_at 2026-04-21T12:55:00Z
3
value 0.00103
scoring_system epss
scoring_elements 0.28163
published_at 2026-04-08T12:55:00Z
4
value 0.00103
scoring_system epss
scoring_elements 0.28205
published_at 2026-04-09T12:55:00Z
5
value 0.00103
scoring_system epss
scoring_elements 0.28213
published_at 2026-04-11T12:55:00Z
6
value 0.00103
scoring_system epss
scoring_elements 0.28171
published_at 2026-04-12T12:55:00Z
7
value 0.00103
scoring_system epss
scoring_elements 0.28113
published_at 2026-04-13T12:55:00Z
8
value 0.00103
scoring_system epss
scoring_elements 0.28125
published_at 2026-04-16T12:55:00Z
9
value 0.00103
scoring_system epss
scoring_elements 0.28107
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34835
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34835
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34835
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34835
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34835
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454482
reference_id 2454482
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454482
7
reference_url https://github.com/advisories/GHSA-g2pf-xv49-m2h5
reference_id GHSA-g2pf-xv49-m2h5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g2pf-xv49-m2h5
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5
reference_id GHSA-g2pf-xv49-m2h5
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:43:54Z/
url https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34835, GHSA-g2pf-xv49-m2h5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5twm-pqc2-xyfn
4
url VCID-dh75-6jyw-1ke2
vulnerability_id VCID-dh75-6jyw-1ke2
summary Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34827.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34827.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34827
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04367
published_at 2026-04-21T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12659
published_at 2026-04-04T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.1247
published_at 2026-04-07T12:55:00Z
3
value 0.00054
scoring_system epss
scoring_elements 0.17088
published_at 2026-04-11T12:55:00Z
4
value 0.00054
scoring_system epss
scoring_elements 0.16918
published_at 2026-04-18T12:55:00Z
5
value 0.00054
scoring_system epss
scoring_elements 0.16916
published_at 2026-04-16T12:55:00Z
6
value 0.00054
scoring_system epss
scoring_elements 0.1698
published_at 2026-04-13T12:55:00Z
7
value 0.00054
scoring_system epss
scoring_elements 0.17041
published_at 2026-04-12T12:55:00Z
8
value 0.00054
scoring_system epss
scoring_elements 0.17054
published_at 2026-04-08T12:55:00Z
9
value 0.00054
scoring_system epss
scoring_elements 0.17112
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34827
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34827
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34827
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:42:04Z/
url https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34827
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34827
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454501
reference_id 2454501
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454501
8
reference_url https://github.com/advisories/GHSA-v6x5-cg8r-vv6x
reference_id GHSA-v6x5-cg8r-vv6x
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v6x5-cg8r-vv6x
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34827, GHSA-v6x5-cg8r-vv6x
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dh75-6jyw-1ke2
5
url VCID-j34j-bgfd-8fez
vulnerability_id VCID-j34j-bgfd-8fez
summary Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32762.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32762.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32762
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.07801
published_at 2026-04-04T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.0776
published_at 2026-04-07T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.10714
published_at 2026-04-13T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.10738
published_at 2026-04-12T12:55:00Z
4
value 0.00036
scoring_system epss
scoring_elements 0.1077
published_at 2026-04-11T12:55:00Z
5
value 0.00036
scoring_system epss
scoring_elements 0.10755
published_at 2026-04-09T12:55:00Z
6
value 0.00036
scoring_system epss
scoring_elements 0.10699
published_at 2026-04-08T12:55:00Z
7
value 0.00036
scoring_system epss
scoring_elements 0.10592
published_at 2026-04-18T12:55:00Z
8
value 0.00036
scoring_system epss
scoring_elements 0.10578
published_at 2026-04-16T12:55:00Z
9
value 0.00044
scoring_system epss
scoring_elements 0.13544
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32762
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32762
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32762
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32762
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32762
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454489
reference_id 2454489
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454489
7
reference_url https://github.com/advisories/GHSA-qfgr-crr9-7r49
reference_id GHSA-qfgr-crr9-7r49
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qfgr-crr9-7r49
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
reference_id GHSA-qfgr-crr9-7r49
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:42:32Z/
url https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-32762, GHSA-qfgr-crr9-7r49
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j34j-bgfd-8fez
6
url VCID-jg77-mm5c-gydu
vulnerability_id VCID-jg77-mm5c-gydu
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34763.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34763.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34763
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.07801
published_at 2026-04-04T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.0776
published_at 2026-04-07T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.10738
published_at 2026-04-12T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.1077
published_at 2026-04-11T12:55:00Z
4
value 0.00036
scoring_system epss
scoring_elements 0.10755
published_at 2026-04-09T12:55:00Z
5
value 0.00036
scoring_system epss
scoring_elements 0.10699
published_at 2026-04-08T12:55:00Z
6
value 0.00036
scoring_system epss
scoring_elements 0.10578
published_at 2026-04-16T12:55:00Z
7
value 0.00036
scoring_system epss
scoring_elements 0.10714
published_at 2026-04-13T12:55:00Z
8
value 0.00038
scoring_system epss
scoring_elements 0.11443
published_at 2026-04-21T12:55:00Z
9
value 0.00038
scoring_system epss
scoring_elements 0.11321
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34763
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34763
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34763
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34763
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34763
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454498
reference_id 2454498
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454498
7
reference_url https://github.com/advisories/GHSA-7mqq-6cf9-v2qp
reference_id GHSA-7mqq-6cf9-v2qp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7mqq-6cf9-v2qp
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
reference_id GHSA-7mqq-6cf9-v2qp
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:41:04Z/
url https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34763, GHSA-7mqq-6cf9-v2qp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jg77-mm5c-gydu
7
url VCID-m98a-mcyb-c7fm
vulnerability_id VCID-m98a-mcyb-c7fm
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34786
reference_id
reference_type
scores
0
value 0.00029
scoring_system epss
scoring_elements 0.08219
published_at 2026-04-04T12:55:00Z
1
value 0.00029
scoring_system epss
scoring_elements 0.08165
published_at 2026-04-07T12:55:00Z
2
value 0.00038
scoring_system epss
scoring_elements 0.11407
published_at 2026-04-12T12:55:00Z
3
value 0.00038
scoring_system epss
scoring_elements 0.1144
published_at 2026-04-11T12:55:00Z
4
value 0.00038
scoring_system epss
scoring_elements 0.11434
published_at 2026-04-09T12:55:00Z
5
value 0.00038
scoring_system epss
scoring_elements 0.11376
published_at 2026-04-08T12:55:00Z
6
value 0.00038
scoring_system epss
scoring_elements 0.11236
published_at 2026-04-16T12:55:00Z
7
value 0.00038
scoring_system epss
scoring_elements 0.11377
published_at 2026-04-13T12:55:00Z
8
value 0.0004
scoring_system epss
scoring_elements 0.12129
published_at 2026-04-21T12:55:00Z
9
value 0.0004
scoring_system epss
scoring_elements 0.12015
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34786
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:37:20Z/
url https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34786
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34786
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454507
reference_id 2454507
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454507
8
reference_url https://github.com/advisories/GHSA-q4qf-9j86-f5mh
reference_id GHSA-q4qf-9j86-f5mh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q4qf-9j86-f5mh
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34786, GHSA-q4qf-9j86-f5mh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m98a-mcyb-c7fm
8
url VCID-metf-cghw-p3b5
vulnerability_id VCID-metf-cghw-p3b5
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34826.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34826.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34826
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05072
published_at 2026-04-21T12:55:00Z
1
value 0.00039
scoring_system epss
scoring_elements 0.11785
published_at 2026-04-04T12:55:00Z
2
value 0.00039
scoring_system epss
scoring_elements 0.11569
published_at 2026-04-07T12:55:00Z
3
value 0.00051
scoring_system epss
scoring_elements 0.15894
published_at 2026-04-11T12:55:00Z
4
value 0.00051
scoring_system epss
scoring_elements 0.15709
published_at 2026-04-16T12:55:00Z
5
value 0.00051
scoring_system epss
scoring_elements 0.15787
published_at 2026-04-13T12:55:00Z
6
value 0.00051
scoring_system epss
scoring_elements 0.15856
published_at 2026-04-12T12:55:00Z
7
value 0.00051
scoring_system epss
scoring_elements 0.15857
published_at 2026-04-08T12:55:00Z
8
value 0.00051
scoring_system epss
scoring_elements 0.1592
published_at 2026-04-09T12:55:00Z
9
value 0.00058
scoring_system epss
scoring_elements 0.18187
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34826
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34826
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34826
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:42:34Z/
url https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34826
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34826
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454508
reference_id 2454508
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454508
8
reference_url https://github.com/advisories/GHSA-x8cg-fq8g-mxfx
reference_id GHSA-x8cg-fq8g-mxfx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x8cg-fq8g-mxfx
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34826, GHSA-x8cg-fq8g-mxfx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-metf-cghw-p3b5
9
url VCID-p3dk-p1gb-kkem
vulnerability_id VCID-p3dk-p1gb-kkem
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34230
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05546
published_at 2026-04-21T12:55:00Z
1
value 0.00039
scoring_system epss
scoring_elements 0.1188
published_at 2026-04-04T12:55:00Z
2
value 0.00039
scoring_system epss
scoring_elements 0.11666
published_at 2026-04-07T12:55:00Z
3
value 0.00051
scoring_system epss
scoring_elements 0.16019
published_at 2026-04-11T12:55:00Z
4
value 0.00051
scoring_system epss
scoring_elements 0.15838
published_at 2026-04-16T12:55:00Z
5
value 0.00051
scoring_system epss
scoring_elements 0.15912
published_at 2026-04-13T12:55:00Z
6
value 0.00051
scoring_system epss
scoring_elements 0.15981
published_at 2026-04-12T12:55:00Z
7
value 0.00051
scoring_system epss
scoring_elements 0.15979
published_at 2026-04-08T12:55:00Z
8
value 0.00051
scoring_system epss
scoring_elements 0.16042
published_at 2026-04-09T12:55:00Z
9
value 0.00063
scoring_system epss
scoring_elements 0.19615
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34230
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:56:03Z/
url https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34230
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34230
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454493
reference_id 2454493
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454493
8
reference_url https://github.com/advisories/GHSA-v569-hp3g-36wr
reference_id GHSA-v569-hp3g-36wr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v569-hp3g-36wr
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34230, GHSA-v569-hp3g-36wr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p3dk-p1gb-kkem
10
url VCID-pbu7-4hdm-s3a6
vulnerability_id VCID-pbu7-4hdm-s3a6
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34830.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34830.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34830
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.08839
published_at 2026-04-04T12:55:00Z
1
value 0.00031
scoring_system epss
scoring_elements 0.08773
published_at 2026-04-07T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12361
published_at 2026-04-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12399
published_at 2026-04-11T12:55:00Z
4
value 0.00041
scoring_system epss
scoring_elements 0.12391
published_at 2026-04-09T12:55:00Z
5
value 0.00041
scoring_system epss
scoring_elements 0.12341
published_at 2026-04-08T12:55:00Z
6
value 0.00041
scoring_system epss
scoring_elements 0.12223
published_at 2026-04-16T12:55:00Z
7
value 0.00041
scoring_system epss
scoring_elements 0.12323
published_at 2026-04-13T12:55:00Z
8
value 0.00043
scoring_system epss
scoring_elements 0.13017
published_at 2026-04-21T12:55:00Z
9
value 0.00043
scoring_system epss
scoring_elements 0.12919
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34830
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34830
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34830
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34830
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34830
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454510
reference_id 2454510
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454510
7
reference_url https://github.com/advisories/GHSA-qv7j-4883-hwh7
reference_id GHSA-qv7j-4883-hwh7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qv7j-4883-hwh7
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
reference_id GHSA-qv7j-4883-hwh7
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:59:36Z/
url https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-34830, GHSA-qv7j-4883-hwh7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pbu7-4hdm-s3a6
11
url VCID-pnz8-yes1-pfc7
vulnerability_id VCID-pnz8-yes1-pfc7
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26962.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26962.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26962
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.0546
published_at 2026-04-21T12:55:00Z
1
value 0.00039
scoring_system epss
scoring_elements 0.11819
published_at 2026-04-04T12:55:00Z
2
value 0.00039
scoring_system epss
scoring_elements 0.11603
published_at 2026-04-07T12:55:00Z
3
value 0.00051
scoring_system epss
scoring_elements 0.1582
published_at 2026-04-13T12:55:00Z
4
value 0.00051
scoring_system epss
scoring_elements 0.15752
published_at 2026-04-18T12:55:00Z
5
value 0.00051
scoring_system epss
scoring_elements 0.15743
published_at 2026-04-16T12:55:00Z
6
value 0.00051
scoring_system epss
scoring_elements 0.15887
published_at 2026-04-12T12:55:00Z
7
value 0.00051
scoring_system epss
scoring_elements 0.15949
published_at 2026-04-09T12:55:00Z
8
value 0.00051
scoring_system epss
scoring_elements 0.15925
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26962
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26962
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26962
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:31:17Z/
url https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26962
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26962
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454511
reference_id 2454511
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454511
8
reference_url https://github.com/advisories/GHSA-rx22-g9mx-qrhv
reference_id GHSA-rx22-g9mx-qrhv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rx22-g9mx-qrhv
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-26962, GHSA-rx22-g9mx-qrhv
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pnz8-yes1-pfc7
12
url VCID-wvs1-dhwp-ebat
vulnerability_id VCID-wvs1-dhwp-ebat
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26961.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26961.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26961
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02185
published_at 2026-04-21T12:55:00Z
1
value 0.00029
scoring_system epss
scoring_elements 0.08219
published_at 2026-04-04T12:55:00Z
2
value 0.00029
scoring_system epss
scoring_elements 0.08165
published_at 2026-04-07T12:55:00Z
3
value 0.00038
scoring_system epss
scoring_elements 0.11377
published_at 2026-04-13T12:55:00Z
4
value 0.00038
scoring_system epss
scoring_elements 0.11236
published_at 2026-04-16T12:55:00Z
5
value 0.00038
scoring_system epss
scoring_elements 0.11376
published_at 2026-04-08T12:55:00Z
6
value 0.00038
scoring_system epss
scoring_elements 0.11434
published_at 2026-04-09T12:55:00Z
7
value 0.00038
scoring_system epss
scoring_elements 0.1144
published_at 2026-04-11T12:55:00Z
8
value 0.00038
scoring_system epss
scoring_elements 0.11407
published_at 2026-04-12T12:55:00Z
9
value 0.0004
scoring_system epss
scoring_elements 0.12015
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26961
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26961
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26961
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:57:50Z/
url https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26961
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26961
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454483
reference_id 2454483
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454483
8
reference_url https://github.com/advisories/GHSA-vgpv-f759-9wx3
reference_id GHSA-vgpv-f759-9wx3
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vgpv-f759-9wx3
9
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1
1
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1
2
url pkg:deb/debian/ruby-rack@3.2.6-2
purl pkg:deb/debian/ruby-rack@3.2.6-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2
aliases CVE-2026-26961, GHSA-vgpv-f759-9wx3
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wvs1-dhwp-ebat
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2