{"url":"http://public2.vulnerablecode.io/api/packages/1053396?format=json","purl":"pkg:deb/debian/ruby-nokogiri@1.5.5-1","type":"deb","namespace":"debian","name":"ruby-nokogiri","version":"1.5.5-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.13.10+dfsg-2","latest_non_vulnerable_version":"1.13.10+dfsg-2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31756?format=json","vulnerability_id":"VCID-64c1-dzhs-u3gj","summary":"Nokogiri has a vulnerability allowing arbitrary execution of code\n    if a certain function is used.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5477","reference_id":"","reference_type":"","scores":[{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90758","published_at":"2026-04-09T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90832","published_at":"2026-05-09T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.9082","published_at":"2026-05-07T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90802","published_at":"2026-05-05T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90784","published_at":"2026-04-29T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90789","published_at":"2026-04-26T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90777","published_at":"2026-04-21T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90779","published_at":"2026-04-18T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90782","published_at":"2026-04-16T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90763","published_at":"2026-04-13T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90765","published_at":"2026-04-12T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90714","published_at":"2026-04-01T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90751","published_at":"2026-04-08T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.9072","published_at":"2026-04-02T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.9073","published_at":"2026-04-04T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90741","published_at":"2026-04-07T12:55:00Z"},{"value":"0.06079","scoring_system":"epss","scoring_elements":"0.90766","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5477"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexical/CVE-2019-5477.yml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexical/CVE-2019-5477.yml"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc"},{"reference_url":"https://github.com/sparklemotion/nokogiri/issues/1915","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/issues/1915"},{"reference_url":"https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"},{"reference_url":"https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926"},{"reference_url":"https://hackerone.com/reports/650835","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/650835"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5477","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5477"},{"reference_url":"https://usn.ubuntu.com/4175-1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/4175-1"},{"reference_url":"https://usn.ubuntu.com/4175-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4175-1/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934802","reference_id":"934802","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934802"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940905","reference_id":"940905","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940905"},{"reference_url":"https://github.com/advisories/GHSA-cr5j-953j-xw5p","reference_id":"GHSA-cr5j-953j-xw5p","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cr5j-953j-xw5p"},{"reference_url":"https://security.gentoo.org/glsa/202006-05","reference_id":"GLSA-202006-05","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202006-05"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994560?format=json","purl":"pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9wgc-swf9-z7hq"},{"vulnerability":"VCID-snr1-kaug-43aa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2"}],"aliases":["CVE-2019-5477","GHSA-cr5j-953j-xw5p"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64c1-dzhs-u3gj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13709?format=json","vulnerability_id":"VCID-9wgc-swf9-z7hq","summary":"Inefficient Regular Expression Complexity\nNokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24836","reference_id":"","reference_type":"","scores":[{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80139","published_at":"2026-05-09T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80124","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80102","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80088","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80015","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80018","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80035","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80006","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80072","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.79978","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80067","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80038","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.80039","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0134","scoring_system":"epss","scoring_elements":"0.8001","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01377","scoring_system":"epss","scoring_elements":"0.80208","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01377","scoring_system":"epss","scoring_elements":"0.80287","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01377","scoring_system":"epss","scoring_elements":"0.80228","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24836"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/23","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2022/Dec/23"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/"},{"reference_url":"https://security.gentoo.org/glsa/202208-29","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202208-29"},{"reference_url":"https://support.apple.com/kb/HT213532","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://support.apple.com/kb/HT213532"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787","reference_id":"1009787","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2074346","reference_id":"2074346","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2074346"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24836","reference_id":"CVE-2022-24836","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24836"},{"reference_url":"https://github.com/advisories/GHSA-crjr-9rc5-ghw8","reference_id":"GHSA-crjr-9rc5-ghw8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-crjr-9rc5-ghw8"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8","reference_id":"GHSA-crjr-9rc5-ghw8","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8506","reference_id":"RHSA-2022:8506","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8506"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994561?format=json","purl":"pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2"}],"aliases":["CVE-2022-24836","GHSA-crjr-9rc5-ghw8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9wgc-swf9-z7hq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33287?format=json","vulnerability_id":"VCID-vhyk-9tbb-quc3","summary":"Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability\n### Severity\n\nNokogiri maintainers have evaluated this as [__Low Severity__ (CVSS3 2.6)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N).\n\n\n### Description\n\nIn Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema` are **trusted** by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.\n\nThis behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as **untrusted** by default whenever possible.\n\nPlease note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be \"Low Severity\".\n\n\n### Affected Versions\n\nNokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3`\n\n\n### Mitigation\n\nThere are no known workarounds for affected versions. Upgrade to Nokogiri `1.11.0.rc4` or later.\n\nIf, after upgrading to `1.11.0.rc4` or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):\n\n1. Ensure the input is trusted. Do not enable this option for untrusted input.\n2. When invoking the `Nokogiri::XML::Schema` constructor, pass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the `NONET` flag turned off.\n\nSo if your previous code was:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network\n# but in v1.11.0.rc4 and later, this call will disallow network access for external resources\nschema = Nokogiri::XML::Schema.new(schema)\n\n# in v1.11.0.rc4 and later, the following is equivalent to the code above\n# (the second parameter is optional, and this demonstrates its default value)\nschema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)\n```\n\nThen you can add the second parameter to indicate that the input is trusted by changing it to:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this would raise an ArgumentError \n# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network\nschema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)\n```\n\n\n### References\n\n- [This issue's public advisory](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m)\n- [Original Hackerone report (private)](https://hackerone.com/reports/747489)\n- [OWASP description of XXE attack](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)\n- [OWASP description of SSRF attack](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n\n\n### Credit \n\nThis vulnerability was independently reported by @eric-therond and @gucki.\n\nThe Nokogiri maintainers would like to thank [HackerOne](https://hackerone.com/nokogiri) for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26247","reference_id":"","reference_type":"","scores":[{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72557","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72531","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72502","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72511","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72514","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72506","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72463","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72475","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72376","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72428","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72416","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72377","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72399","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72381","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72466","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72425","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72434","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72451","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26247"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26247","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26247"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m"},{"reference_url":"https://hackerone.com/reports/747489","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/747489"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26247","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26247"},{"reference_url":"https://rubygems.org/gems/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubygems.org/gems/nokogiri"},{"reference_url":"https://security.gentoo.org/glsa/202208-29","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202208-29"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1912487","reference_id":"1912487","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1912487"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978967","reference_id":"978967","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978967"},{"reference_url":"https://github.com/advisories/GHSA-vr8q-g5c7-m54m","reference_id":"GHSA-vr8q-g5c7-m54m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vr8q-g5c7-m54m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5191","reference_id":"RHSA-2021:5191","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5191"},{"reference_url":"https://usn.ubuntu.com/7659-1/","reference_id":"USN-7659-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7659-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994560?format=json","purl":"pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9wgc-swf9-z7hq"},{"vulnerability":"VCID-snr1-kaug-43aa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2"}],"aliases":["CVE-2020-26247","GHSA-vr8q-g5c7-m54m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vhyk-9tbb-quc3"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.5.5-1"}