| 0 |
| url |
VCID-1vp9-6q85-5ffv |
| vulnerability_id |
VCID-1vp9-6q85-5ffv |
| summary |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CGI::Cookie.parse in Ruby mishandles security prefixes in cookie names. This also affects the CGI gem for Ruby. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-41819 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73242 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73218 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73192 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73228 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73318 |
| published_at |
2026-04-24T12:55:00Z |
|
| 5 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73197 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73284 |
| published_at |
2026-04-21T12:55:00Z |
|
| 7 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73292 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73283 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.7324 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73247 |
| published_at |
2026-04-12T12:55:00Z |
|
| 11 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73267 |
| published_at |
2026-04-11T12:55:00Z |
|
| 12 |
| value |
0.00755 |
| scoring_system |
epss |
| scoring_elements |
0.73187 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-41819 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
| reference_url |
https://hackerone.com/reports/910552 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T14:43:38Z/ |
|
|
| url |
https://hackerone.com/reports/910552 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-41819, GHSA-4vf4-qmvg-mh7h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1vp9-6q85-5ffv |
|
| 1 |
| url |
VCID-2sv2-6snv-2bd3 |
| vulnerability_id |
VCID-2sv2-6snv-2bd3 |
| summary |
Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-28739 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00306 |
| scoring_system |
epss |
| scoring_elements |
0.53796 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00306 |
| scoring_system |
epss |
| scoring_elements |
0.53773 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00306 |
| scoring_system |
epss |
| scoring_elements |
0.53798 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00306 |
| scoring_system |
epss |
| scoring_elements |
0.53845 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00306 |
| scoring_system |
epss |
| scoring_elements |
0.53828 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00306 |
| scoring_system |
epss |
| scoring_elements |
0.53812 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00306 |
| scoring_system |
epss |
| scoring_elements |
0.53849 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00306 |
| scoring_system |
epss |
| scoring_elements |
0.53746 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00314 |
| scoring_system |
epss |
| scoring_elements |
0.54538 |
| published_at |
2026-04-24T12:55:00Z |
|
| 9 |
| value |
0.00346 |
| scoring_system |
epss |
| scoring_elements |
0.57161 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00346 |
| scoring_system |
epss |
| scoring_elements |
0.57139 |
| published_at |
2026-04-21T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-28739 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-28739, GHSA-mvgc-rxvg-hqc6
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2sv2-6snv-2bd3 |
|
| 2 |
| url |
VCID-3d14-jf3q-xqbf |
| vulnerability_id |
VCID-3d14-jf3q-xqbf |
| summary |
ruby: BasicSocket#read_nonblock method leads to information disclosure |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10933 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.62985 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63129 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.6312 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63127 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63108 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63044 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63072 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63037 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63087 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63104 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63121 |
| published_at |
2026-04-11T12:55:00Z |
|
| 11 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63107 |
| published_at |
2026-04-12T12:55:00Z |
|
| 12 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63084 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10933 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-10933, GHSA-g5hm-28jr-53fh
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3d14-jf3q-xqbf |
|
| 3 |
| url |
VCID-5mfh-yzfk-cqaa |
| vulnerability_id |
VCID-5mfh-yzfk-cqaa |
| summary |
StringIO buffer overread vulnerability
An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.
The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value.
This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.
We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
* For Ruby 3.0 users: Update to `stringio` 3.0.1.1
* For Ruby 3.1 users: Update to `stringio` 3.1.0.2
You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-27280 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.06546 |
| scoring_system |
epss |
| scoring_elements |
0.91174 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.06546 |
| scoring_system |
epss |
| scoring_elements |
0.9116 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91482 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91495 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91467 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91473 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91524 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91529 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91508 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91506 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.0706 |
| scoring_system |
epss |
| scoring_elements |
0.91501 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-27280 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://github.com/ruby/stringio |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/stringio |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://hackerone.com/reports/1399856 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-09T18:08:05Z/ |
|
|
| url |
https://hackerone.com/reports/1399856 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-27280, GHSA-v5h6-c2hv-hv3r
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5mfh-yzfk-cqaa |
|
| 4 |
| url |
VCID-9g2w-sc9w-eyce |
| vulnerability_id |
VCID-9g2w-sc9w-eyce |
| summary |
Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-33621 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01301 |
| scoring_system |
epss |
| scoring_elements |
0.79764 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.01337 |
| scoring_system |
epss |
| scoring_elements |
0.80051 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.80528 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.8056 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.80536 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.8055 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.80532 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.80522 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.80492 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.80502 |
| published_at |
2026-04-04T12:55:00Z |
|
| 10 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.80481 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.01412 |
| scoring_system |
epss |
| scoring_elements |
0.80475 |
| published_at |
2026-04-01T12:55:00Z |
|
| 12 |
| value |
0.01562 |
| scoring_system |
epss |
| scoring_elements |
0.81521 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-33621 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-33621, GHSA-vc47-6rqg-c7f5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9g2w-sc9w-eyce |
|
| 5 |
| url |
VCID-9x9w-2k98-wydm |
| vulnerability_id |
VCID-9x9w-2k98-wydm |
| summary |
Ruby Time component ReDoS issue
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28756 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00587 |
| scoring_system |
epss |
| scoring_elements |
0.69183 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00651 |
| scoring_system |
epss |
| scoring_elements |
0.70887 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.00707 |
| scoring_system |
epss |
| scoring_elements |
0.72211 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00826 |
| scoring_system |
epss |
| scoring_elements |
0.74491 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00826 |
| scoring_system |
epss |
| scoring_elements |
0.74463 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00826 |
| scoring_system |
epss |
| scoring_elements |
0.74472 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00826 |
| scoring_system |
epss |
| scoring_elements |
0.74419 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00826 |
| scoring_system |
epss |
| scoring_elements |
0.74444 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00826 |
| scoring_system |
epss |
| scoring_elements |
0.74418 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00826 |
| scoring_system |
epss |
| scoring_elements |
0.74469 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00826 |
| scoring_system |
epss |
| scoring_elements |
0.74452 |
| published_at |
2026-04-08T12:55:00Z |
|
| 11 |
| value |
0.00914 |
| scoring_system |
epss |
| scoring_elements |
0.75917 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28756 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-28756, GHSA-fg7x-g82r-94qc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9x9w-2k98-wydm |
|
| 6 |
| url |
VCID-a1z8-2fdu-1uhd |
| vulnerability_id |
VCID-a1z8-2fdu-1uhd |
| summary |
Arbitrary Code Execution in Rdoc
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-31799 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57547 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57567 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57463 |
| published_at |
2026-04-01T12:55:00Z |
|
| 3 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57543 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57596 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.576 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57615 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57595 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57573 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57535 |
| published_at |
2026-04-24T12:55:00Z |
|
| 10 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57577 |
| published_at |
2026-04-21T12:55:00Z |
|
| 11 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57602 |
| published_at |
2026-04-16T12:55:00Z |
|
| 12 |
| value |
0.00351 |
| scoring_system |
epss |
| scoring_elements |
0.57599 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-31799 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
| reference_url |
https://security.gentoo.org/glsa/202401-05 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:16:06Z/ |
|
|
| url |
https://security.gentoo.org/glsa/202401-05 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-31799, GHSA-ggxm-pgc9-g7fp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a1z8-2fdu-1uhd |
|
| 7 |
| url |
VCID-ajtx-8w3u-rkae |
| vulnerability_id |
VCID-ajtx-8w3u-rkae |
| summary |
URI gem has ReDoS vulnerability
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`.
NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
[The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead:
- For Ruby 3.0: Update to uri 0.10.3
- For Ruby 3.1 and 3.2: Update to uri 0.12.2.
You can use gem update uri to update it. If you are using bundler, please add gem `uri`, `>= 0.12.2` (or other version mentioned above) to your Gemfile. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-36617 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00906 |
| scoring_system |
epss |
| scoring_elements |
0.75767 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.00906 |
| scoring_system |
epss |
| scoring_elements |
0.75806 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76842 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76847 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76799 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76745 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76774 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76755 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76787 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76797 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76826 |
| published_at |
2026-04-11T12:55:00Z |
|
| 11 |
| value |
0.00983 |
| scoring_system |
epss |
| scoring_elements |
0.76806 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-36617 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/uri |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/uri |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-36617, GHSA-hww2-5g85-429m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ajtx-8w3u-rkae |
|
| 8 |
| url |
VCID-bdar-wgfe-qqgf |
| vulnerability_id |
VCID-bdar-wgfe-qqgf |
| summary |
REXML round-trip instability
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-28965 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58281 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58319 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58193 |
| published_at |
2026-04-01T12:55:00Z |
|
| 3 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58327 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58349 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58332 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58326 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58273 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58298 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58278 |
| published_at |
2026-04-02T12:55:00Z |
|
| 10 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58342 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58339 |
| published_at |
2026-04-16T12:55:00Z |
|
| 12 |
| value |
0.00362 |
| scoring_system |
epss |
| scoring_elements |
0.58306 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-28965 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-28965, GHSA-8cr8-4vfw-mr7h
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bdar-wgfe-qqgf |
|
| 9 |
| url |
VCID-c5xq-bv4t-73ff |
| vulnerability_id |
VCID-c5xq-bv4t-73ff |
| summary |
REXML contains a denial of service vulnerability
### Impact
The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `>`s in an attribute value.
If you need to parse untrusted XMLs, you may be impacted to this vulnerability.
### Patches
The REXML gem 3.2.7 or later include the patch to fix this vulnerability.
### Workarounds
Don't parse untrusted XMLs.
### References
* https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-35176 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.06399 |
| scoring_system |
epss |
| scoring_elements |
0.91069 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.06399 |
| scoring_system |
epss |
| scoring_elements |
0.91056 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91393 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91391 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91384 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91414 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91418 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91365 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91358 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91347 |
| published_at |
2026-04-02T12:55:00Z |
|
| 10 |
| value |
0.06902 |
| scoring_system |
epss |
| scoring_elements |
0.91377 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-35176 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-35176, GHSA-vg3r-rm7w-2xgh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c5xq-bv4t-73ff |
|
| 10 |
| url |
VCID-d6tn-s1q2-a3hc |
| vulnerability_id |
VCID-d6tn-s1q2-a3hc |
| summary |
Unsafe object creation in json RubyGem
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10663 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91832 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91813 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91817 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91815 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91812 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91805 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91792 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91779 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.9177 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91784 |
| published_at |
2026-04-04T12:55:00Z |
|
| 10 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91833 |
| published_at |
2026-04-24T12:55:00Z |
|
| 11 |
| value |
0.07526 |
| scoring_system |
epss |
| scoring_elements |
0.91827 |
| published_at |
2026-04-21T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10663 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-10663, GHSA-jphg-qwrw-7w9g
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d6tn-s1q2-a3hc |
|
| 11 |
| url |
VCID-exq5-cnrm-3uhd |
| vulnerability_id |
VCID-exq5-cnrm-3uhd |
| summary |
CGI has Denial of Service (DoS) potential in Cookie.parse
There is a possibility for DoS by in the cgi gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.
## Details
CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.
Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
## Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
## Credits
Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27219 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00316 |
| scoring_system |
epss |
| scoring_elements |
0.54678 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00316 |
| scoring_system |
epss |
| scoring_elements |
0.54679 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00316 |
| scoring_system |
epss |
| scoring_elements |
0.5464 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00316 |
| scoring_system |
epss |
| scoring_elements |
0.54661 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00349 |
| scoring_system |
epss |
| scoring_elements |
0.57409 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00349 |
| scoring_system |
epss |
| scoring_elements |
0.57444 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00349 |
| scoring_system |
epss |
| scoring_elements |
0.57364 |
| published_at |
2026-04-24T12:55:00Z |
|
| 7 |
| value |
0.00416 |
| scoring_system |
epss |
| scoring_elements |
0.6169 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00416 |
| scoring_system |
epss |
| scoring_elements |
0.61675 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00623 |
| scoring_system |
epss |
| scoring_elements |
0.70084 |
| published_at |
2026-04-07T12:55:00Z |
|
| 10 |
| value |
0.00778 |
| scoring_system |
epss |
| scoring_elements |
0.73631 |
| published_at |
2026-04-04T12:55:00Z |
|
| 11 |
| value |
0.00778 |
| scoring_system |
epss |
| scoring_elements |
0.73608 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27219 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/cgi |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi |
|
| 5 |
| reference_url |
https://github.com/ruby/cgi/pull/52 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi/pull/52 |
|
| 6 |
| reference_url |
https://github.com/ruby/cgi/pull/53 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi/pull/53 |
|
| 7 |
| reference_url |
https://github.com/ruby/cgi/pull/54 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi/pull/54 |
|
| 8 |
|
| 9 |
| reference_url |
https://hackerone.com/reports/2936778 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:41:05Z/ |
|
|
| url |
https://hackerone.com/reports/2936778 |
|
| 10 |
|
| 11 |
|
| 12 |
| reference_url |
https://www.cve.org/CVERecord?id=CVE-2025-27219 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
5.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://www.cve.org/CVERecord?id=CVE-2025-27219 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-27219, GHSA-gh9q-2xrm-x6qv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-exq5-cnrm-3uhd |
|
| 12 |
| url |
VCID-gfjn-m9zp-57c5 |
| vulnerability_id |
VCID-gfjn-m9zp-57c5 |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-41816 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63113 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63077 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63099 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63096 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.6308 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63029 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63064 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.63036 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00437 |
| scoring_system |
epss |
| scoring_elements |
0.62977 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00483 |
| scoring_system |
epss |
| scoring_elements |
0.6523 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00483 |
| scoring_system |
epss |
| scoring_elements |
0.65236 |
| published_at |
2026-04-24T12:55:00Z |
|
| 11 |
| value |
0.00483 |
| scoring_system |
epss |
| scoring_elements |
0.65222 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00483 |
| scoring_system |
epss |
| scoring_elements |
0.65239 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-41816 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/ruby/cgi |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-41816, GHSA-5cqm-crxm-6qpv, GMS-2021-17
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gfjn-m9zp-57c5 |
|
| 13 |
| url |
VCID-h4mf-99f4-9bdw |
| vulnerability_id |
VCID-h4mf-99f4-9bdw |
| summary |
CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement
There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.
## Details
The regular expression used in `CGI::Util#escapeElement` is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.
This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
## Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
## Credits
Thanks to svalkanov for discovering this issue.
Also thanks to nobu for fixing this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27220 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39805 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39822 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39827 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39855 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.002 |
| scoring_system |
epss |
| scoring_elements |
0.42161 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00253 |
| scoring_system |
epss |
| scoring_elements |
0.48618 |
| published_at |
2026-04-24T12:55:00Z |
|
| 6 |
| value |
0.00253 |
| scoring_system |
epss |
| scoring_elements |
0.48634 |
| published_at |
2026-04-21T12:55:00Z |
|
| 7 |
| value |
0.00282 |
| scoring_system |
epss |
| scoring_elements |
0.51609 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00282 |
| scoring_system |
epss |
| scoring_elements |
0.51613 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00483 |
| scoring_system |
epss |
| scoring_elements |
0.65173 |
| published_at |
2026-04-07T12:55:00Z |
|
| 10 |
| value |
0.00566 |
| scoring_system |
epss |
| scoring_elements |
0.68425 |
| published_at |
2026-04-04T12:55:00Z |
|
| 11 |
| value |
0.00566 |
| scoring_system |
epss |
| scoring_elements |
0.68405 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27220 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/cgi |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi |
|
| 5 |
| reference_url |
https://github.com/ruby/cgi/pull/52 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi/pull/52 |
|
| 6 |
| reference_url |
https://github.com/ruby/cgi/pull/53 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi/pull/53 |
|
| 7 |
| reference_url |
https://github.com/ruby/cgi/pull/54 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/cgi/pull/54 |
|
| 8 |
|
| 9 |
| reference_url |
https://hackerone.com/reports/2890322 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:39:36Z/ |
|
|
| url |
https://hackerone.com/reports/2890322 |
|
| 10 |
|
| 11 |
|
| 12 |
| reference_url |
https://www.cve.org/CVERecord?id=CVE-2025-27220 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.0 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://www.cve.org/CVERecord?id=CVE-2025-27220 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-27220, GHSA-mhwm-jh88-3gjf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h4mf-99f4-9bdw |
|
| 14 |
| url |
VCID-jdtw-bn8z-e3b6 |
| vulnerability_id |
VCID-jdtw-bn8z-e3b6 |
| summary |
REXML denial of service vulnerability
### Impact
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.
### Patches
The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
### Workarounds
Don't parse untrusted XMLs with tree parser API.
### References
* https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-43398 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.7838 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78371 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78397 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78401 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78402 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78373 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78325 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78356 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78339 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.01135 |
| scoring_system |
epss |
| scoring_elements |
0.78365 |
| published_at |
2026-04-08T12:55:00Z |
|
| 10 |
| value |
0.01167 |
| scoring_system |
epss |
| scoring_elements |
0.78661 |
| published_at |
2026-04-21T12:55:00Z |
|
| 11 |
| value |
0.01167 |
| scoring_system |
epss |
| scoring_elements |
0.78691 |
| published_at |
2026-04-24T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-43398 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/rexml |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
8.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/rexml |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/ruby/rexml/releases/tag/v3.3.6 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
8.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T14:43:15Z/ |
|
|
| url |
https://github.com/ruby/rexml/releases/tag/v3.3.6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-43398, GHSA-vmwr-mc7x-5vc3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jdtw-bn8z-e3b6 |
|
| 15 |
| url |
VCID-jgyw-q58q-7qgm |
| vulnerability_id |
VCID-jgyw-q58q-7qgm |
| summary |
Tempfile on Windows path traversal vulnerability
There is an unintentional directory creation vulnerability in `tmpdir` library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-28966 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57281 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57241 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57284 |
| published_at |
2026-04-21T12:55:00Z |
|
| 3 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57305 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57173 |
| published_at |
2026-04-01T12:55:00Z |
|
| 5 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57254 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57277 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57255 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57307 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57309 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57322 |
| published_at |
2026-04-11T12:55:00Z |
|
| 11 |
| value |
0.00347 |
| scoring_system |
epss |
| scoring_elements |
0.57302 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-28966 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-28966, GHSA-46f2-3v63-3xrp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jgyw-q58q-7qgm |
|
| 16 |
| url |
VCID-m4a8-ya4v-tkgm |
| vulnerability_id |
VCID-m4a8-ya4v-tkgm |
| summary |
RDoc RCE vulnerability with .rdoc_options
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.
When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.
When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.
We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
* For Ruby 3.0 users: Update to `rdoc` 6.3.4.1
* For Ruby 3.1 users: Update to `rdoc` 6.4.1.1
* For Ruby 3.2 users: Update to `rdoc` 6.5.1.1
You can use `gem update rdoc` to update it. If you are using bundler, please add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`.
Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-27281 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02273 |
| scoring_system |
epss |
| scoring_elements |
0.84707 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.02273 |
| scoring_system |
epss |
| scoring_elements |
0.8468 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.85269 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.85252 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.85249 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.8527 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.8519 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.85208 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.8521 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.85231 |
| published_at |
2026-04-08T12:55:00Z |
|
| 10 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.8524 |
| published_at |
2026-04-09T12:55:00Z |
|
| 11 |
| value |
0.02463 |
| scoring_system |
epss |
| scoring_elements |
0.85254 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-27281 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/rdoc |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/rdoc |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://hackerone.com/reports/1187477 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-20T13:50:49Z/ |
|
|
| url |
https://hackerone.com/reports/1187477 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-27281, GHSA-592j-995h-p23j
|
| risk_score |
2.0 |
| exploitability |
0.5 |
| weighted_severity |
4.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m4a8-ya4v-tkgm |
|
| 17 |
| url |
VCID-m6hy-vnf9-hyfe |
| vulnerability_id |
VCID-m6hy-vnf9-hyfe |
| summary |
REXML DoS vulnerability
### Impact
The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.
If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.
### Patches
The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
### Workarounds
Don't parse untrusted XMLs with SAX2 or pull parser API.
### References
* https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-41946 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.7115 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.71165 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.71119 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.71135 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.71127 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.71114 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.71072 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.71097 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.7108 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00661 |
| scoring_system |
epss |
| scoring_elements |
0.71172 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00679 |
| scoring_system |
epss |
| scoring_elements |
0.71635 |
| published_at |
2026-04-24T12:55:00Z |
|
| 11 |
| value |
0.00679 |
| scoring_system |
epss |
| scoring_elements |
0.71584 |
| published_at |
2026-04-21T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-41946 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/rexml |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/rexml |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T15:45:10Z/ |
|
|
| url |
https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
| reference_url |
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 2 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T15:45:10Z/ |
|
|
| url |
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-41946, GHSA-5866-49gr-22v4
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m6hy-vnf9-hyfe |
|
| 18 |
| url |
VCID-mkq9-21q7-6kg6 |
| vulnerability_id |
VCID-mkq9-21q7-6kg6 |
| summary |
Regular expression denial of service vulnerability (ReDoS) in date
Date includes a ReDoS vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-41817 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65809 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65761 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65796 |
| published_at |
2026-04-21T12:55:00Z |
|
| 3 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.6581 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65795 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65676 |
| published_at |
2026-04-01T12:55:00Z |
|
| 6 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65725 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65755 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65721 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65774 |
| published_at |
2026-04-08T12:55:00Z |
|
| 10 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65784 |
| published_at |
2026-04-09T12:55:00Z |
|
| 11 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65805 |
| published_at |
2026-04-11T12:55:00Z |
|
| 12 |
| value |
0.00495 |
| scoring_system |
epss |
| scoring_elements |
0.65791 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-41817 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-41817, GHSA-qg54-694p-wgpp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mkq9-21q7-6kg6 |
|
| 19 |
| url |
VCID-msc8-xjz2-2kb4 |
| vulnerability_id |
VCID-msc8-xjz2-2kb4 |
| summary |
REXML ReDoS vulnerability
### Impact
The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`).
This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.
### Patches
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
### Workarounds
Use Ruby 3.2 or later instead of Ruby 3.1.
### References
* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-49761 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.7561 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.75661 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.75599 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.7563 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.7568 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.75655 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.75644 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.75696 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00899 |
| scoring_system |
epss |
| scoring_elements |
0.75693 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.0169 |
| scoring_system |
epss |
| scoring_elements |
0.82264 |
| published_at |
2026-04-21T12:55:00Z |
|
| 10 |
| value |
0.0169 |
| scoring_system |
epss |
| scoring_elements |
0.82285 |
| published_at |
2026-04-24T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-49761 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/rexml |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/rexml |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-28T14:57:03Z/ |
|
|
| url |
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-49761, GHSA-2rxp-v6pw-ch6m
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-msc8-xjz2-2kb4 |
|
| 20 |
| url |
VCID-n1ja-n53g-fycm |
| vulnerability_id |
VCID-n1ja-n53g-fycm |
| summary |
URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+
There is a possibility for userinfo leakage by in the uri gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.
## Details
The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.
Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.
## Affected versions
uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.
## Credits
Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
Also thanks to nobu for additional fixes of this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27221 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.1144 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11384 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00118 |
| scoring_system |
epss |
| scoring_elements |
0.30715 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.33558 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.33568 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.33581 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.33592 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00152 |
| scoring_system |
epss |
| scoring_elements |
0.35907 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37695 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37709 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00173 |
| scoring_system |
epss |
| scoring_elements |
0.38495 |
| published_at |
2026-04-24T12:55:00Z |
|
| 11 |
| value |
0.00173 |
| scoring_system |
epss |
| scoring_elements |
0.38651 |
| published_at |
2026-04-21T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27221 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/ruby/uri |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/uri |
|
| 6 |
| reference_url |
https://github.com/ruby/uri/pull/154 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/uri/pull/154 |
|
| 7 |
| reference_url |
https://github.com/ruby/uri/pull/155 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/uri/pull/155 |
|
| 8 |
| reference_url |
https://github.com/ruby/uri/pull/156 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/uri/pull/156 |
|
| 9 |
| reference_url |
https://github.com/ruby/uri/pull/157 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/uri/pull/157 |
|
| 10 |
| reference_url |
https://hackerone.com/reports/2957667 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:38:46Z/ |
|
|
| url |
https://hackerone.com/reports/2957667 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://www.cve.org/CVERecord?id=CVE-2025-27221 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
3.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 2 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 3 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://www.cve.org/CVERecord?id=CVE-2025-27221 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-27221, GHSA-22h5-pq3x-2gf2
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n1ja-n53g-fycm |
|
| 21 |
| url |
VCID-qu1w-yd76-t7c1 |
| vulnerability_id |
VCID-qu1w-yd76-t7c1 |
| summary |
REXML denial of service vulnerability
### Impact
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
### Patches
The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.
### Workarounds
Don't parse untrusted XMLs.
### References
* https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/ |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-39908 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.91234 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.91238 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.91227 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.91221 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.91207 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.912 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.91192 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.9126 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.91261 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.06685 |
| scoring_system |
epss |
| scoring_elements |
0.91237 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.08032 |
| scoring_system |
epss |
| scoring_elements |
0.92124 |
| published_at |
2026-04-21T12:55:00Z |
|
| 11 |
| value |
0.08032 |
| scoring_system |
epss |
| scoring_elements |
0.92128 |
| published_at |
2026-04-24T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-39908 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/rexml |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/rexml |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:58:11Z/ |
|
|
| url |
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-39908, GHSA-4xqq-m2hx-25v8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qu1w-yd76-t7c1 |
|
| 22 |
| url |
VCID-qwh3-25yu-qfga |
| vulnerability_id |
VCID-qwh3-25yu-qfga |
| summary |
Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-28738 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58928 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58964 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58945 |
| published_at |
2026-04-21T12:55:00Z |
|
| 3 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58902 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58923 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.5889 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58942 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58948 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58967 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58949 |
| published_at |
2026-04-12T12:55:00Z |
|
| 10 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.5893 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-28738 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-28738, GHSA-8pqg-8p79-j5j8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qwh3-25yu-qfga |
|
| 23 |
| url |
VCID-t9y5-hd9b-bkc4 |
| vulnerability_id |
VCID-t9y5-hd9b-bkc4 |
| summary |
Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-31810 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70265 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70412 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70339 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70326 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.7037 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70379 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.7036 |
| published_at |
2026-04-21T12:55:00Z |
|
| 7 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70277 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70295 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70271 |
| published_at |
2026-04-07T12:55:00Z |
|
| 10 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70316 |
| published_at |
2026-04-08T12:55:00Z |
|
| 11 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70331 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00632 |
| scoring_system |
epss |
| scoring_elements |
0.70354 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-31810 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-31810, GHSA-wr95-679j-87v9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t9y5-hd9b-bkc4 |
|
| 24 |
| url |
VCID-uxdx-abx7-fkdy |
| vulnerability_id |
VCID-uxdx-abx7-fkdy |
| summary |
Ruby URI component ReDoS issue
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28755 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00304 |
| scoring_system |
epss |
| scoring_elements |
0.53634 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00322 |
| scoring_system |
epss |
| scoring_elements |
0.55292 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00322 |
| scoring_system |
epss |
| scoring_elements |
0.55283 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00322 |
| scoring_system |
epss |
| scoring_elements |
0.55304 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00322 |
| scoring_system |
epss |
| scoring_elements |
0.55291 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00322 |
| scoring_system |
epss |
| scoring_elements |
0.55241 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00322 |
| scoring_system |
epss |
| scoring_elements |
0.55263 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00322 |
| scoring_system |
epss |
| scoring_elements |
0.55239 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00322 |
| scoring_system |
epss |
| scoring_elements |
0.55265 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56541 |
| published_at |
2026-04-21T12:55:00Z |
|
| 10 |
| value |
0.00357 |
| scoring_system |
epss |
| scoring_elements |
0.57963 |
| published_at |
2026-04-16T12:55:00Z |
|
| 11 |
| value |
0.00366 |
| scoring_system |
epss |
| scoring_elements |
0.58615 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28755 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
| reference_url |
https://security.gentoo.org/glsa/202401-27 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/ |
|
|
| url |
https://security.gentoo.org/glsa/202401-27 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-28755, GHSA-hv5j-3h9f-99c2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uxdx-abx7-fkdy |
|
| 25 |
| url |
VCID-vcz9-dvf4-47am |
| vulnerability_id |
VCID-vcz9-dvf4-47am |
| summary |
Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-25613 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50554 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50605 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50627 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50623 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50581 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50487 |
| published_at |
2026-04-01T12:55:00Z |
|
| 6 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50618 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50575 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50544 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50571 |
| published_at |
2026-04-04T12:55:00Z |
|
| 10 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50524 |
| published_at |
2026-04-07T12:55:00Z |
|
| 11 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50579 |
| published_at |
2026-04-08T12:55:00Z |
|
| 12 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50595 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-25613 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-25613, GHSA-gwfg-cqmg-cf8f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vcz9-dvf4-47am |
|
| 26 |
| url |
VCID-x126-x9qm-e7d3 |
| vulnerability_id |
VCID-x126-x9qm-e7d3 |
| summary |
ruby: Arbitrary memory address read vulnerability with Regex search |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-27282 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0057 |
| scoring_system |
epss |
| scoring_elements |
0.6869 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.0057 |
| scoring_system |
epss |
| scoring_elements |
0.68642 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.70027 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.70066 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.70057 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.70013 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.69962 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.69977 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.69954 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.70002 |
| published_at |
2026-04-08T12:55:00Z |
|
| 10 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.70018 |
| published_at |
2026-04-09T12:55:00Z |
|
| 11 |
| value |
0.00619 |
| scoring_system |
epss |
| scoring_elements |
0.70042 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-27282 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-27282, GHSA-63cq-cj6g-qfr2
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x126-x9qm-e7d3 |
|
| 27 |
| url |
VCID-xkby-43zv-x3f7 |
| vulnerability_id |
VCID-xkby-43zv-x3f7 |
| summary |
Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-32066 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22303 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22177 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22419 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22364 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22381 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22378 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22327 |
| published_at |
2026-04-21T12:55:00Z |
|
| 7 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22468 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22514 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22302 |
| published_at |
2026-04-07T12:55:00Z |
|
| 10 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22384 |
| published_at |
2026-04-08T12:55:00Z |
|
| 11 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.22439 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00074 |
| scoring_system |
epss |
| scoring_elements |
0.2246 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-32066 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-32066, GHSA-gx49-h5r3-q3xj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xkby-43zv-x3f7 |
|
| 28 |
| url |
VCID-yj1t-rga1-x3ev |
| vulnerability_id |
VCID-yj1t-rga1-x3ev |
| summary |
REXML DoS vulnerability
### Impact
The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
### Patches
The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.
### Workarounds
Don't parse untrusted XMLs.
### References
* https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
* https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-41123 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46079 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46139 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46143 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46088 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46108 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46084 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46086 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.4603 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46082 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00232 |
| scoring_system |
epss |
| scoring_elements |
0.46061 |
| published_at |
2026-04-02T12:55:00Z |
|
| 10 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46966 |
| published_at |
2026-04-24T12:55:00Z |
|
| 11 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.4698 |
| published_at |
2026-04-21T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-41123 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/ruby/rexml |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/ruby/rexml |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:33:21Z/ |
|
|
| url |
https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
| reference_url |
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 2 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:33:21Z/ |
|
|
| url |
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-41123, GHSA-r55c-59qm-vjw6
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yj1t-rga1-x3ev |
|