Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-cnqr-6e98-5kgk
Vulnerability ID VCID-cnqr-6e98-5kgk
Aliases CVE-2011-0446
GHSA-75w6-p6mg-vh8j
Summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-707 Improper Neutralization
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
epss 0.0067 https://api.first.org/data/v1/epss?cve=CVE-2011-0446
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-75w6-p6mg-vh8j
generic_textual MODERATE https://github.com/rails/rails
generic_textual MODERATE https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217
generic_textual MODERATE https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml
generic_textual MODERATE https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2011-0446
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2011-0446
generic_textual MODERATE https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274
generic_textual MODERATE https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666
generic_textual MODERATE https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291
generic_textual MODERATE https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064
generic_textual MODERATE http://www.debian.org/security/2011/dsa-2247
Reference id Reference type URL
http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
https://api.first.org/data/v1/epss?cve=CVE-2011-0446
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446
http://secunia.com/advisories/43274
http://secunia.com/advisories/43666
https://github.com/rails/rails
https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217
https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2
https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ
https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274
https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666
https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291
https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064
http://www.debian.org/security/2011/dsa-2247
http://www.securityfocus.com/bid/46291
http://www.securitytracker.com/id?1025064
http://www.vupen.com/english/advisories/2011/0587
http://www.vupen.com/english/advisories/2011/0877
614864 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864
cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
CVE-2011-0446 https://nvd.nist.gov/vuln/detail/CVE-2011-0446
CVE-2011-0446.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml
CVE-2011-0446.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml
GHSA-75w6-p6mg-vh8j https://github.com/advisories/GHSA-75w6-p6mg-vh8j
GLSA-201412-28 https://security.gentoo.org/glsa/201412-28
No exploits are available.
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2011-0446
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.71274
EPSS Score 0.0067
Published At April 7, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:47:25.157038+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2011-0446.yml 38.0.0