Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/activesupport@4.1.6
Typegem
Namespace
Nameactivesupport
Version4.1.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version7.2.3.1
Latest_non_vulnerable_version8.1.2.1
Affected_by_vulnerabilities
0
url VCID-1rxp-g9rz-4yb3
vulnerability_id VCID-1rxp-g9rz-4yb3
summary 
Possible XSS Security Vulnerability in SafeBuffer#bytesplice
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

# Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

# Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28120
reference_id
reference_type
scores
0
value 0.00395
scoring_system epss
scoring_elements 0.60394
published_at 2026-04-24T12:55:00Z
1
value 0.00395
scoring_system epss
scoring_elements 0.60323
published_at 2026-04-02T12:55:00Z
2
value 0.00395
scoring_system epss
scoring_elements 0.60349
published_at 2026-04-04T12:55:00Z
3
value 0.00395
scoring_system epss
scoring_elements 0.60317
published_at 2026-04-07T12:55:00Z
4
value 0.00395
scoring_system epss
scoring_elements 0.60366
published_at 2026-04-08T12:55:00Z
5
value 0.00395
scoring_system epss
scoring_elements 0.60382
published_at 2026-04-09T12:55:00Z
6
value 0.00395
scoring_system epss
scoring_elements 0.60403
published_at 2026-04-11T12:55:00Z
7
value 0.00395
scoring_system epss
scoring_elements 0.60389
published_at 2026-04-12T12:55:00Z
8
value 0.00395
scoring_system epss
scoring_elements 0.6037
published_at 2026-04-13T12:55:00Z
9
value 0.00395
scoring_system epss
scoring_elements 0.60411
published_at 2026-04-21T12:55:00Z
10
value 0.00395
scoring_system epss
scoring_elements 0.60419
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28120
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
4
reference_url https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
9
reference_url https://security.netapp.com/advisory/ntap-20240202-0006
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0006
10
reference_url https://www.debian.org/security/2023/dsa-5389
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://www.debian.org/security/2023/dsa-5389
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262
reference_id 1033262
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2179637
reference_id 2179637
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2179637
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28120
reference_id CVE-2023-28120
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28120
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
reference_id CVE-2023-28120.YML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
15
reference_url https://github.com/advisories/GHSA-pj73-v5mw-pm9j
reference_id GHSA-pj73-v5mw-pm9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pj73-v5mw-pm9j
16
reference_url https://security.netapp.com/advisory/ntap-20240202-0006/
reference_id ntap-20240202-0006
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://security.netapp.com/advisory/ntap-20240202-0006/
17
reference_url https://access.redhat.com/errata/RHSA-2023:1953
reference_id RHSA-2023:1953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1953
18
reference_url https://access.redhat.com/errata/RHSA-2023:3495
reference_id RHSA-2023:3495
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3495
19
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
reference_id UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
reference_id ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
fixed_packages
0
url pkg:gem/activesupport@6.1.7.3
purl pkg:gem/activesupport@6.1.7.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-6pxd-xsaw-tuer
3
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.1.7.3
1
url pkg:gem/activesupport@7.0.4.3
purl pkg:gem/activesupport@7.0.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tzv-1t1b-t3g3
1
vulnerability VCID-5tky-d2en-u7c7
2
vulnerability VCID-6pxd-xsaw-tuer
3
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.0.4.3
aliases CVE-2023-28120, GHSA-pj73-v5mw-pm9j, GMS-2023-765
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1rxp-g9rz-4yb3
1
url VCID-3zdr-vasc-a7cn
vulnerability_id VCID-3zdr-vasc-a7cn
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
references
0
reference_url http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
1
reference_url http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
2
reference_url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
3
reference_url http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2009-3009
reference_id
reference_type
scores
0
value 0.01632
scoring_system epss
scoring_elements 0.81962
published_at 2026-04-24T12:55:00Z
1
value 0.01632
scoring_system epss
scoring_elements 0.81837
published_at 2026-04-01T12:55:00Z
2
value 0.01632
scoring_system epss
scoring_elements 0.81848
published_at 2026-04-02T12:55:00Z
3
value 0.01632
scoring_system epss
scoring_elements 0.8187
published_at 2026-04-04T12:55:00Z
4
value 0.01632
scoring_system epss
scoring_elements 0.81866
published_at 2026-04-07T12:55:00Z
5
value 0.01632
scoring_system epss
scoring_elements 0.81893
published_at 2026-04-08T12:55:00Z
6
value 0.01632
scoring_system epss
scoring_elements 0.81899
published_at 2026-04-09T12:55:00Z
7
value 0.01632
scoring_system epss
scoring_elements 0.81919
published_at 2026-04-11T12:55:00Z
8
value 0.01632
scoring_system epss
scoring_elements 0.81907
published_at 2026-04-12T12:55:00Z
9
value 0.01632
scoring_system epss
scoring_elements 0.81902
published_at 2026-04-13T12:55:00Z
10
value 0.01632
scoring_system epss
scoring_elements 0.81937
published_at 2026-04-16T12:55:00Z
11
value 0.01632
scoring_system epss
scoring_elements 0.81938
published_at 2026-04-18T12:55:00Z
12
value 0.01632
scoring_system epss
scoring_elements 0.81939
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2009-3009
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009
7
reference_url http://secunia.com/advisories/36600
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/36600
8
reference_url http://secunia.com/advisories/36717
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/36717
9
reference_url http://securitytracker.com/id?1022824
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://securitytracker.com/id?1022824
10
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
11
reference_url http://support.apple.com/kb/HT4077
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT4077
12
reference_url http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
13
reference_url http://www.debian.org/security/2009/dsa-1887
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2009/dsa-1887
14
reference_url http://www.osvdb.org/57666
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.osvdb.org/57666
15
reference_url http://www.securityfocus.com/bid/36278
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/36278
16
reference_url http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2009/2544
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=520843
reference_id 520843
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=520843
18
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
reference_id 545063
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2009-3009
reference_id CVE-2009-3009
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2009-3009
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml
reference_id CVE-2009-3009.YML
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml
21
reference_url https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
reference_id GHSA-8qrh-h9m2-5fvf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
22
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
aliases CVE-2009-3009, GHSA-8qrh-h9m2-5fvf, OSV-57666
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3zdr-vasc-a7cn
2
url VCID-43f3-rxwm-fkgv
vulnerability_id VCID-43f3-rxwm-fkgv
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html
3
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-2932
reference_id
reference_type
scores
0
value 0.00813
scoring_system epss
scoring_elements 0.74214
published_at 2026-04-02T12:55:00Z
1
value 0.00813
scoring_system epss
scoring_elements 0.74327
published_at 2026-04-24T12:55:00Z
2
value 0.00813
scoring_system epss
scoring_elements 0.74295
published_at 2026-04-21T12:55:00Z
3
value 0.00813
scoring_system epss
scoring_elements 0.74303
published_at 2026-04-18T12:55:00Z
4
value 0.00813
scoring_system epss
scoring_elements 0.74208
published_at 2026-04-01T12:55:00Z
5
value 0.00813
scoring_system epss
scoring_elements 0.7424
published_at 2026-04-04T12:55:00Z
6
value 0.00813
scoring_system epss
scoring_elements 0.74293
published_at 2026-04-16T12:55:00Z
7
value 0.00813
scoring_system epss
scoring_elements 0.74256
published_at 2026-04-13T12:55:00Z
8
value 0.00813
scoring_system epss
scoring_elements 0.74263
published_at 2026-04-12T12:55:00Z
9
value 0.00813
scoring_system epss
scoring_elements 0.74282
published_at 2026-04-11T12:55:00Z
10
value 0.00813
scoring_system epss
scoring_elements 0.7426
published_at 2026-04-09T12:55:00Z
11
value 0.00813
scoring_system epss
scoring_elements 0.74246
published_at 2026-04-08T12:55:00Z
12
value 0.00813
scoring_system epss
scoring_elements 0.74213
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-2932
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=731435
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=731435
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2932
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2932
7
reference_url http://secunia.com/advisories/45917
reference_id
reference_type
scores
url http://secunia.com/advisories/45917
8
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
9
reference_url https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2932.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2932.yml
11
reference_url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
12
reference_url http://www.openwall.com/lists/oss-security/2011/08/17/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/17/1
13
reference_url http://www.openwall.com/lists/oss-security/2011/08/19/11
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/19/11
14
reference_url http://www.openwall.com/lists/oss-security/2011/08/20/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/20/1
15
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/13
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/13
16
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/14
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/14
17
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/5
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-2932
reference_id CVE-2011-2932
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-2932
19
reference_url https://github.com/advisories/GHSA-9fh3-vh3h-q4g3
reference_id GHSA-9fh3-vh3h-q4g3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9fh3-vh3h-q4g3
20
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
aliases CVE-2011-2932, GHSA-9fh3-vh3h-q4g3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-43f3-rxwm-fkgv
3
url VCID-4tzv-1t1b-t3g3
vulnerability_id VCID-4tzv-1t1b-t3g3
summary 
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
### Impact
`NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33169
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.04955
published_at 2026-04-21T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.04811
published_at 2026-04-18T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.04803
published_at 2026-04-16T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.04855
published_at 2026-04-13T12:55:00Z
4
value 0.00019
scoring_system epss
scoring_elements 0.04874
published_at 2026-04-12T12:55:00Z
5
value 0.00019
scoring_system epss
scoring_elements 0.04894
published_at 2026-04-11T12:55:00Z
6
value 0.00019
scoring_system epss
scoring_elements 0.04858
published_at 2026-04-07T12:55:00Z
7
value 0.00019
scoring_system epss
scoring_elements 0.04895
published_at 2026-04-08T12:55:00Z
8
value 0.00019
scoring_system epss
scoring_elements 0.0484
published_at 2026-04-04T12:55:00Z
9
value 0.00019
scoring_system epss
scoring_elements 0.04814
published_at 2026-04-02T12:55:00Z
10
value 0.00019
scoring_system epss
scoring_elements 0.04912
published_at 2026-04-09T12:55:00Z
11
value 0.0002
scoring_system epss
scoring_elements 0.0558
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33169
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33169
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
6
reference_url https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
7
reference_url https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33169
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33169
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450556
reference_id 2450556
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450556
15
reference_url https://github.com/advisories/GHSA-cg4j-q9v8-6v38
reference_id GHSA-cg4j-q9v8-6v38
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cg4j-q9v8-6v38
fixed_packages
0
url pkg:gem/activesupport@7.2.3.1
purl pkg:gem/activesupport@7.2.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1
1
url pkg:gem/activesupport@8.0.4.1
purl pkg:gem/activesupport@8.0.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1
2
url pkg:gem/activesupport@8.1.2.1
purl pkg:gem/activesupport@8.1.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1
aliases CVE-2026-33169, GHSA-cg4j-q9v8-6v38
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4tzv-1t1b-t3g3
4
url VCID-5tky-d2en-u7c7
vulnerability_id VCID-5tky-d2en-u7c7
summary 
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
### Impact
`SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33170
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02255
published_at 2026-04-21T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02169
published_at 2026-04-18T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02157
published_at 2026-04-16T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02179
published_at 2026-04-13T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.02183
published_at 2026-04-12T12:55:00Z
5
value 0.00013
scoring_system epss
scoring_elements 0.02222
published_at 2026-04-09T12:55:00Z
6
value 0.00013
scoring_system epss
scoring_elements 0.02201
published_at 2026-04-08T12:55:00Z
7
value 0.00013
scoring_system epss
scoring_elements 0.02199
published_at 2026-04-11T12:55:00Z
8
value 0.00013
scoring_system epss
scoring_elements 0.02204
published_at 2026-04-04T12:55:00Z
9
value 0.00013
scoring_system epss
scoring_elements 0.022
published_at 2026-04-02T12:55:00Z
10
value 0.00014
scoring_system epss
scoring_elements 0.02804
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33170
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33170
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33170
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
6
reference_url https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
7
reference_url https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33170
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33170
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450543
reference_id 2450543
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450543
15
reference_url https://github.com/advisories/GHSA-89vf-4333-qx8v
reference_id GHSA-89vf-4333-qx8v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-89vf-4333-qx8v
fixed_packages
0
url pkg:gem/activesupport@7.2.3.1
purl pkg:gem/activesupport@7.2.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1
1
url pkg:gem/activesupport@8.0.4.1
purl pkg:gem/activesupport@8.0.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1
2
url pkg:gem/activesupport@8.1.2.1
purl pkg:gem/activesupport@8.1.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1
aliases CVE-2026-33170, GHSA-89vf-4333-qx8v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5tky-d2en-u7c7
5
url VCID-6ku5-mtgz-zygw
vulnerability_id VCID-6ku5-mtgz-zygw
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22796
reference_id
reference_type
scores
0
value 0.01484
scoring_system epss
scoring_elements 0.81049
published_at 2026-04-21T12:55:00Z
1
value 0.01484
scoring_system epss
scoring_elements 0.81071
published_at 2026-04-24T12:55:00Z
2
value 0.01733
scoring_system epss
scoring_elements 0.82468
published_at 2026-04-12T12:55:00Z
3
value 0.01733
scoring_system epss
scoring_elements 0.82473
published_at 2026-04-11T12:55:00Z
4
value 0.01733
scoring_system epss
scoring_elements 0.82454
published_at 2026-04-09T12:55:00Z
5
value 0.01733
scoring_system epss
scoring_elements 0.82406
published_at 2026-04-02T12:55:00Z
6
value 0.01733
scoring_system epss
scoring_elements 0.825
published_at 2026-04-18T12:55:00Z
7
value 0.01733
scoring_system epss
scoring_elements 0.82463
published_at 2026-04-13T12:55:00Z
8
value 0.01733
scoring_system epss
scoring_elements 0.82424
published_at 2026-04-04T12:55:00Z
9
value 0.01733
scoring_system epss
scoring_elements 0.82448
published_at 2026-04-08T12:55:00Z
10
value 0.01733
scoring_system epss
scoring_elements 0.8242
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22796
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-05T21:51:29Z/
url https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8
16
reference_url https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
17
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
18
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
19
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164736
reference_id 2164736
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164736
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22796
reference_id CVE-2023-22796
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22796
23
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml
reference_id CVE-2023-22796.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml
24
reference_url https://github.com/advisories/GHSA-j6gc-792m-qgm2
reference_id GHSA-j6gc-792m-qgm2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j6gc-792m-qgm2
25
reference_url https://security.netapp.com/advisory/ntap-20240202-0009/
reference_id ntap-20240202-0009
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-05T21:51:29Z/
url https://security.netapp.com/advisory/ntap-20240202-0009/
26
reference_url https://access.redhat.com/errata/RHSA-2023:4341
reference_id RHSA-2023:4341
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:4341
27
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:gem/activesupport@5.2.8
purl pkg:gem/activesupport@5.2.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6ku5-mtgz-zygw
4
vulnerability VCID-6pxd-xsaw-tuer
5
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@5.2.8
1
url pkg:gem/activesupport@6.1.7.1
purl pkg:gem/activesupport@6.1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6ku5-mtgz-zygw
4
vulnerability VCID-6pxd-xsaw-tuer
5
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.1.7.1
2
url pkg:gem/activesupport@7.0.4.1
purl pkg:gem/activesupport@7.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-4tzv-1t1b-t3g3
2
vulnerability VCID-5tky-d2en-u7c7
3
vulnerability VCID-6ku5-mtgz-zygw
4
vulnerability VCID-6pxd-xsaw-tuer
5
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.0.4.1
aliases CVE-2023-22796, GHSA-j6gc-792m-qgm2, GMS-2023-61
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6ku5-mtgz-zygw
6
url VCID-6r5v-h4kr-zqen
vulnerability_id VCID-6r5v-h4kr-zqen
summary 
Moderate severity vulnerability that affects activesupport
Withdrawn, accidental duplicate publish.

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
references
0
reference_url https://github.com/advisories/GHSA-35c4-f3rq-f9g3
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-35c4-f3rq-f9g3
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-3227
reference_id CVE-2015-3227
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-3227
fixed_packages
0
url pkg:gem/activesupport@4.1.11
purl pkg:gem/activesupport@4.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-3zdr-vasc-a7cn
2
vulnerability VCID-43f3-rxwm-fkgv
3
vulnerability VCID-4tzv-1t1b-t3g3
4
vulnerability VCID-5tky-d2en-u7c7
5
vulnerability VCID-6ku5-mtgz-zygw
6
vulnerability VCID-7f5r-9h1g-nuch
7
vulnerability VCID-j24x-nhsb-yug6
8
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.1.11
1
url pkg:gem/activesupport@4.2.2
purl pkg:gem/activesupport@4.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-3zdr-vasc-a7cn
2
vulnerability VCID-43f3-rxwm-fkgv
3
vulnerability VCID-4tzv-1t1b-t3g3
4
vulnerability VCID-5tky-d2en-u7c7
5
vulnerability VCID-6ku5-mtgz-zygw
6
vulnerability VCID-7f5r-9h1g-nuch
7
vulnerability VCID-j24x-nhsb-yug6
8
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.2.2
aliases GHSA-35c4-f3rq-f9g3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6r5v-h4kr-zqen
7
url VCID-7f5r-9h1g-nuch
vulnerability_id VCID-7f5r-9h1g-nuch
summary 
Exposure of Sensitive Information to an Unauthorized Actor
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2009-3086
reference_id
reference_type
scores
0
value 0.00556
scoring_system epss
scoring_elements 0.68222
published_at 2026-04-24T12:55:00Z
1
value 0.00556
scoring_system epss
scoring_elements 0.68179
published_at 2026-04-21T12:55:00Z
2
value 0.00556
scoring_system epss
scoring_elements 0.68197
published_at 2026-04-18T12:55:00Z
3
value 0.00556
scoring_system epss
scoring_elements 0.68185
published_at 2026-04-16T12:55:00Z
4
value 0.00556
scoring_system epss
scoring_elements 0.68147
published_at 2026-04-13T12:55:00Z
5
value 0.00556
scoring_system epss
scoring_elements 0.6818
published_at 2026-04-12T12:55:00Z
6
value 0.00556
scoring_system epss
scoring_elements 0.68194
published_at 2026-04-11T12:55:00Z
7
value 0.00556
scoring_system epss
scoring_elements 0.68169
published_at 2026-04-09T12:55:00Z
8
value 0.00556
scoring_system epss
scoring_elements 0.68154
published_at 2026-04-08T12:55:00Z
9
value 0.00556
scoring_system epss
scoring_elements 0.68102
published_at 2026-04-07T12:55:00Z
10
value 0.00556
scoring_system epss
scoring_elements 0.68125
published_at 2026-04-04T12:55:00Z
11
value 0.00556
scoring_system epss
scoring_elements 0.68084
published_at 2026-04-01T12:55:00Z
12
value 0.00556
scoring_system epss
scoring_elements 0.68107
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2009-3086
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086
3
reference_url http://secunia.com/advisories/36600
reference_id
reference_type
scores
url http://secunia.com/advisories/36600
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0
6
reference_url https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978
7
reference_url https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml
9
reference_url https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544
10
reference_url https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600
11
reference_url https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427
12
reference_url http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
13
reference_url http://www.debian.org/security/2011/dsa-2260
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2260
14
reference_url http://www.securityfocus.com/bid/37427
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/37427
15
reference_url http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2009/2544
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
reference_id 545063
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2009-3086
reference_id CVE-2009-3086
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2009-3086
18
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml
reference_id CVE-2009-3086.YML
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml
19
reference_url https://github.com/advisories/GHSA-fg9w-g6m4-557j
reference_id GHSA-fg9w-g6m4-557j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fg9w-g6m4-557j
20
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
aliases CVE-2009-3086, GHSA-fg9w-g6m4-557j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7f5r-9h1g-nuch
8
url VCID-ed3f-3bxh-eba4
vulnerability_id VCID-ed3f-3bxh-eba4
summary 
activesupport vulnerable to Denial of Service via large XML document depth
The (1) `jdom.rb` and (2) `rexml.rb` components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html
1
reference_url http://openwall.com/lists/oss-security/2015/06/16/16
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2015/06/16/16
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3227.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3227.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2015-3227
reference_id
reference_type
scores
0
value 0.02683
scoring_system epss
scoring_elements 0.85887
published_at 2026-04-24T12:55:00Z
1
value 0.02683
scoring_system epss
scoring_elements 0.85807
published_at 2026-04-04T12:55:00Z
2
value 0.02683
scoring_system epss
scoring_elements 0.85812
published_at 2026-04-07T12:55:00Z
3
value 0.02683
scoring_system epss
scoring_elements 0.85831
published_at 2026-04-08T12:55:00Z
4
value 0.02683
scoring_system epss
scoring_elements 0.85841
published_at 2026-04-09T12:55:00Z
5
value 0.02683
scoring_system epss
scoring_elements 0.85856
published_at 2026-04-11T12:55:00Z
6
value 0.02683
scoring_system epss
scoring_elements 0.85853
published_at 2026-04-12T12:55:00Z
7
value 0.02683
scoring_system epss
scoring_elements 0.85849
published_at 2026-04-13T12:55:00Z
8
value 0.02683
scoring_system epss
scoring_elements 0.85868
published_at 2026-04-16T12:55:00Z
9
value 0.02683
scoring_system epss
scoring_elements 0.85873
published_at 2026-04-18T12:55:00Z
10
value 0.02683
scoring_system epss
scoring_elements 0.85865
published_at 2026-04-21T12:55:00Z
11
value 0.02683
scoring_system epss
scoring_elements 0.85776
published_at 2026-04-01T12:55:00Z
12
value 0.02683
scoring_system epss
scoring_elements 0.85789
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2015-3227
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
12
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
13
reference_url https://github.com/rails/rails/commit/12f763ce1131d29d24bd0d8f868e2697a139aea3
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/12f763ce1131d29d24bd0d8f868e2697a139aea3
14
reference_url https://github.com/rails/rails/commit/153cc843ad95930b00b0ca91d30b599b7dec9680
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/153cc843ad95930b00b0ca91d30b599b7dec9680
15
reference_url https://github.com/rails/rails/commit/78b29e08c700d889837af6c51c7debd3864abc3d
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/78b29e08c700d889837af6c51c7debd3864abc3d
16
reference_url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J
17
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
18
reference_url https://web.archive.org/web/20200228041703/http://www.securityfocus.com/bid/75234
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228041703/http://www.securityfocus.com/bid/75234
19
reference_url https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
20
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1232302
reference_id 1232302
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1232302
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790487
reference_id 790487
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790487
23
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-3227
reference_id CVE-2015-3227
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-3227
24
reference_url https://github.com/advisories/GHSA-j96r-xvjq-r9pg
reference_id GHSA-j96r-xvjq-r9pg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j96r-xvjq-r9pg
fixed_packages
0
url pkg:gem/activesupport@4.1.11
purl pkg:gem/activesupport@4.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-3zdr-vasc-a7cn
2
vulnerability VCID-43f3-rxwm-fkgv
3
vulnerability VCID-4tzv-1t1b-t3g3
4
vulnerability VCID-5tky-d2en-u7c7
5
vulnerability VCID-6ku5-mtgz-zygw
6
vulnerability VCID-7f5r-9h1g-nuch
7
vulnerability VCID-j24x-nhsb-yug6
8
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.1.11
1
url pkg:gem/activesupport@4.2.0.beta1
purl pkg:gem/activesupport@4.2.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-3zdr-vasc-a7cn
2
vulnerability VCID-43f3-rxwm-fkgv
3
vulnerability VCID-4tzv-1t1b-t3g3
4
vulnerability VCID-5tky-d2en-u7c7
5
vulnerability VCID-6ku5-mtgz-zygw
6
vulnerability VCID-7f5r-9h1g-nuch
7
vulnerability VCID-ed3f-3bxh-eba4
8
vulnerability VCID-j24x-nhsb-yug6
9
vulnerability VCID-sarm-n22v-akcm
10
vulnerability VCID-t2cx-7ycd-tqhq
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.2.0.beta1
2
url pkg:gem/activesupport@4.2.2
purl pkg:gem/activesupport@4.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-3zdr-vasc-a7cn
2
vulnerability VCID-43f3-rxwm-fkgv
3
vulnerability VCID-4tzv-1t1b-t3g3
4
vulnerability VCID-5tky-d2en-u7c7
5
vulnerability VCID-6ku5-mtgz-zygw
6
vulnerability VCID-7f5r-9h1g-nuch
7
vulnerability VCID-j24x-nhsb-yug6
8
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.2.2
aliases CVE-2015-3227, GHSA-j96r-xvjq-r9pg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ed3f-3bxh-eba4
9
url VCID-j24x-nhsb-yug6
vulnerability_id VCID-j24x-nhsb-yug6
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html
3
reference_url http://openwall.com/lists/oss-security/2011/06/09/2
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2011/06/09/2
4
reference_url http://openwall.com/lists/oss-security/2011/06/13/9
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2011/06/13/9
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-2197
reference_id
reference_type
scores
0
value 0.00442
scoring_system epss
scoring_elements 0.63243
published_at 2026-04-07T12:55:00Z
1
value 0.00442
scoring_system epss
scoring_elements 0.6332
published_at 2026-04-24T12:55:00Z
2
value 0.00442
scoring_system epss
scoring_elements 0.63301
published_at 2026-04-21T12:55:00Z
3
value 0.00442
scoring_system epss
scoring_elements 0.63322
published_at 2026-04-18T12:55:00Z
4
value 0.00442
scoring_system epss
scoring_elements 0.63314
published_at 2026-04-16T12:55:00Z
5
value 0.00442
scoring_system epss
scoring_elements 0.63295
published_at 2026-04-08T12:55:00Z
6
value 0.00442
scoring_system epss
scoring_elements 0.6333
published_at 2026-04-11T12:55:00Z
7
value 0.00442
scoring_system epss
scoring_elements 0.63313
published_at 2026-04-09T12:55:00Z
8
value 0.00442
scoring_system epss
scoring_elements 0.6319
published_at 2026-04-01T12:55:00Z
9
value 0.00442
scoring_system epss
scoring_elements 0.63249
published_at 2026-04-02T12:55:00Z
10
value 0.00442
scoring_system epss
scoring_elements 0.63278
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-2197
6
reference_url http://secunia.com/advisories/44789
reference_id
reference_type
scores
url http://secunia.com/advisories/44789
7
reference_url https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f
8
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
9
reference_url https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd
10
reference_url https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da
11
reference_url http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-2197
reference_id CVE-2011-2197
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-2197
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml
reference_id CVE-2011-2197.YML
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml
14
reference_url https://github.com/advisories/GHSA-v9v4-7jp6-8c73
reference_id GHSA-v9v4-7jp6-8c73
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v9v4-7jp6-8c73
fixed_packages
aliases CVE-2011-2197, GHSA-v9v4-7jp6-8c73
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j24x-nhsb-yug6
10
url VCID-sarm-n22v-akcm
vulnerability_id VCID-sarm-n22v-akcm
summary 
Rails Active Support has a possible DoS vulnerability in its number helpers
### Impact
Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33176
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.05638
published_at 2026-04-02T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.05813
published_at 2026-04-21T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.05666
published_at 2026-04-18T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.05654
published_at 2026-04-16T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05699
published_at 2026-04-13T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05705
published_at 2026-04-12T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.05712
published_at 2026-04-11T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.05733
published_at 2026-04-09T12:55:00Z
8
value 0.00021
scoring_system epss
scoring_elements 0.05706
published_at 2026-04-08T12:55:00Z
9
value 0.00021
scoring_system epss
scoring_elements 0.05668
published_at 2026-04-07T12:55:00Z
10
value 0.00021
scoring_system epss
scoring_elements 0.05678
published_at 2026-04-04T12:55:00Z
11
value 0.00023
scoring_system epss
scoring_elements 0.06323
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33176
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33176
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33176
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
6
reference_url https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
7
reference_url https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33176
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33176
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450551
reference_id 2450551
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450551
15
reference_url https://github.com/advisories/GHSA-2j26-frm8-cmj9
reference_id GHSA-2j26-frm8-cmj9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2j26-frm8-cmj9
fixed_packages
0
url pkg:gem/activesupport@7.2.3.1
purl pkg:gem/activesupport@7.2.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1
1
url pkg:gem/activesupport@8.0.4.1
purl pkg:gem/activesupport@8.0.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1
2
url pkg:gem/activesupport@8.1.2.1
purl pkg:gem/activesupport@8.1.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1
aliases CVE-2026-33176, GHSA-2j26-frm8-cmj9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sarm-n22v-akcm
11
url VCID-t2cx-7ycd-tqhq
vulnerability_id VCID-t2cx-7ycd-tqhq
summary 
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
references
0
reference_url http://openwall.com/lists/oss-security/2015/06/16/17
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2015/06/16/17
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3226.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3226.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2015-3226
reference_id
reference_type
scores
0
value 0.00212
scoring_system epss
scoring_elements 0.43622
published_at 2026-04-24T12:55:00Z
1
value 0.00212
scoring_system epss
scoring_elements 0.43674
published_at 2026-04-07T12:55:00Z
2
value 0.00212
scoring_system epss
scoring_elements 0.43725
published_at 2026-04-08T12:55:00Z
3
value 0.00212
scoring_system epss
scoring_elements 0.43728
published_at 2026-04-09T12:55:00Z
4
value 0.00212
scoring_system epss
scoring_elements 0.43748
published_at 2026-04-11T12:55:00Z
5
value 0.00212
scoring_system epss
scoring_elements 0.43699
published_at 2026-04-13T12:55:00Z
6
value 0.00212
scoring_system epss
scoring_elements 0.43761
published_at 2026-04-16T12:55:00Z
7
value 0.00212
scoring_system epss
scoring_elements 0.43752
published_at 2026-04-18T12:55:00Z
8
value 0.00212
scoring_system epss
scoring_elements 0.43684
published_at 2026-04-21T12:55:00Z
9
value 0.00212
scoring_system epss
scoring_elements 0.4366
published_at 2026-04-01T12:55:00Z
10
value 0.00212
scoring_system epss
scoring_elements 0.43716
published_at 2026-04-12T12:55:00Z
11
value 0.00212
scoring_system epss
scoring_elements 0.43741
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2015-3226
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
11
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
12
reference_url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ
13
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
14
reference_url https://groups.google.com/g/rubyonrails-core/c/qBUqVlXERag/m/kuH3wQk1kxUJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-core/c/qBUqVlXERag/m/kuH3wQk1kxUJ
15
reference_url https://web.archive.org/web/20200228033946/http://www.securityfocus.com/bid/75231
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228033946/http://www.securityfocus.com/bid/75231
16
reference_url https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
17
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1232310
reference_id 1232310
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1232310
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790486
reference_id 790486
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790486
20
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-3226
reference_id CVE-2015-3226
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-3226
21
reference_url https://github.com/advisories/GHSA-vxvp-4xwc-jpp6
reference_id GHSA-vxvp-4xwc-jpp6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vxvp-4xwc-jpp6
fixed_packages
0
url pkg:gem/activesupport@4.1.11
purl pkg:gem/activesupport@4.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-3zdr-vasc-a7cn
2
vulnerability VCID-43f3-rxwm-fkgv
3
vulnerability VCID-4tzv-1t1b-t3g3
4
vulnerability VCID-5tky-d2en-u7c7
5
vulnerability VCID-6ku5-mtgz-zygw
6
vulnerability VCID-7f5r-9h1g-nuch
7
vulnerability VCID-j24x-nhsb-yug6
8
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.1.11
1
url pkg:gem/activesupport@4.2.0.beta1
purl pkg:gem/activesupport@4.2.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-3zdr-vasc-a7cn
2
vulnerability VCID-43f3-rxwm-fkgv
3
vulnerability VCID-4tzv-1t1b-t3g3
4
vulnerability VCID-5tky-d2en-u7c7
5
vulnerability VCID-6ku5-mtgz-zygw
6
vulnerability VCID-7f5r-9h1g-nuch
7
vulnerability VCID-ed3f-3bxh-eba4
8
vulnerability VCID-j24x-nhsb-yug6
9
vulnerability VCID-sarm-n22v-akcm
10
vulnerability VCID-t2cx-7ycd-tqhq
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.2.0.beta1
2
url pkg:gem/activesupport@4.2.2
purl pkg:gem/activesupport@4.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1rxp-g9rz-4yb3
1
vulnerability VCID-3zdr-vasc-a7cn
2
vulnerability VCID-43f3-rxwm-fkgv
3
vulnerability VCID-4tzv-1t1b-t3g3
4
vulnerability VCID-5tky-d2en-u7c7
5
vulnerability VCID-6ku5-mtgz-zygw
6
vulnerability VCID-7f5r-9h1g-nuch
7
vulnerability VCID-j24x-nhsb-yug6
8
vulnerability VCID-sarm-n22v-akcm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.2.2
aliases CVE-2015-3226, GHSA-vxvp-4xwc-jpp6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t2cx-7ycd-tqhq
Fixing_vulnerabilities
Risk_score3.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/activesupport@4.1.6