Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-gbvf-y28h-kqax
Vulnerability ID VCID-gbvf-y28h-kqax
Aliases CVE-2026-33195
GHSA-9xrj-h377-fr87
Summary Rails: Active Storage: Active Storage (Rails): Arbitrary file access via path traversal in blob keys
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33195.json
epss 0.00036 https://api.first.org/data/v1/epss?cve=CVE-2026-33195
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv4 8.0 https://github.com/rails/rails
generic_textual HIGH https://github.com/rails/rails
cvssv4 8 https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
cvssv4 8.0 https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
generic_textual HIGH https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
ssvc Track https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
cvssv4 8 https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
cvssv4 8.0 https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
generic_textual HIGH https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
ssvc Track https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
cvssv4 8 https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
cvssv4 8.0 https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
generic_textual HIGH https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
ssvc Track https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
cvssv4 8 https://github.com/rails/rails/releases/tag/v7.2.3.1
cvssv4 8.0 https://github.com/rails/rails/releases/tag/v7.2.3.1
generic_textual HIGH https://github.com/rails/rails/releases/tag/v7.2.3.1
ssvc Track https://github.com/rails/rails/releases/tag/v7.2.3.1
cvssv4 8 https://github.com/rails/rails/releases/tag/v8.0.4.1
cvssv4 8.0 https://github.com/rails/rails/releases/tag/v8.0.4.1
generic_textual HIGH https://github.com/rails/rails/releases/tag/v8.0.4.1
ssvc Track https://github.com/rails/rails/releases/tag/v8.0.4.1
cvssv4 8 https://github.com/rails/rails/releases/tag/v8.1.2.1
cvssv4 8.0 https://github.com/rails/rails/releases/tag/v8.1.2.1
generic_textual HIGH https://github.com/rails/rails/releases/tag/v8.1.2.1
ssvc Track https://github.com/rails/rails/releases/tag/v8.1.2.1
cvssv4 8 https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
cvssv4 8.0 https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
generic_textual HIGH https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
ssvc Track https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
cvssv4 8.0 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33195.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33195.yml
cvssv4 8.0 https://nvd.nist.gov/vuln/detail/CVE-2026-33195
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-33195
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33195.json
https://api.first.org/data/v1/epss?cve=CVE-2026-33195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33195
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails
https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
https://github.com/rails/rails/releases/tag/v7.2.3.1
https://github.com/rails/rails/releases/tag/v8.0.4.1
https://github.com/rails/rails/releases/tag/v8.1.2.1
https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33195.yml
https://nvd.nist.gov/vuln/detail/CVE-2026-33195
1132035 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
2450546 https://bugzilla.redhat.com/show_bug.cgi?id=2450546
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33195.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/ Found at https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/ Found at https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/ Found at https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/releases/tag/v7.2.3.1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/releases/tag/v7.2.3.1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/ Found at https://github.com/rails/rails/releases/tag/v7.2.3.1
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/releases/tag/v8.0.4.1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/releases/tag/v8.0.4.1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/ Found at https://github.com/rails/rails/releases/tag/v8.0.4.1
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/releases/tag/v8.1.2.1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/releases/tag/v8.1.2.1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/ Found at https://github.com/rails/rails/releases/tag/v8.1.2.1
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/ Found at https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33195.yml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33195
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.11065
EPSS Score 0.00036
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:42:37.893489+00:00 RedHat Importer Import https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33195.json 38.6.0