Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/rack@2.2.15
Typegem
Namespace
Namerack
Version2.2.15
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-1j61-5e8x-7fbd
vulnerability_id VCID-1j61-5e8x-7fbd
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34829.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34829.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34829
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.1247
published_at 2026-04-07T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12659
published_at 2026-04-04T12:55:00Z
2
value 0.00054
scoring_system epss
scoring_elements 0.17054
published_at 2026-04-08T12:55:00Z
3
value 0.00054
scoring_system epss
scoring_elements 0.16916
published_at 2026-04-16T12:55:00Z
4
value 0.00054
scoring_system epss
scoring_elements 0.1698
published_at 2026-04-13T12:55:00Z
5
value 0.00054
scoring_system epss
scoring_elements 0.17041
published_at 2026-04-12T12:55:00Z
6
value 0.00054
scoring_system epss
scoring_elements 0.17088
published_at 2026-04-11T12:55:00Z
7
value 0.00054
scoring_system epss
scoring_elements 0.17112
published_at 2026-04-09T12:55:00Z
8
value 0.0006
scoring_system epss
scoring_elements 0.18643
published_at 2026-04-21T12:55:00Z
9
value 0.0006
scoring_system epss
scoring_elements 0.18624
published_at 2026-04-18T12:55:00Z
10
value 0.0006
scoring_system epss
scoring_elements 0.1847
published_at 2026-04-29T12:55:00Z
11
value 0.0006
scoring_system epss
scoring_elements 0.18534
published_at 2026-04-24T12:55:00Z
12
value 0.0006
scoring_system epss
scoring_elements 0.18514
published_at 2026-04-26T12:55:00Z
13
value 0.00065
scoring_system epss
scoring_elements 0.20156
published_at 2026-05-14T12:55:00Z
14
value 0.00065
scoring_system epss
scoring_elements 0.19909
published_at 2026-05-05T12:55:00Z
15
value 0.00065
scoring_system epss
scoring_elements 0.19987
published_at 2026-05-07T12:55:00Z
16
value 0.00065
scoring_system epss
scoring_elements 0.20073
published_at 2026-05-09T12:55:00Z
17
value 0.00065
scoring_system epss
scoring_elements 0.20043
published_at 2026-05-11T12:55:00Z
18
value 0.00065
scoring_system epss
scoring_elements 0.20067
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34829
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34829
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34829
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34829.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34829.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34829
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34829
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454488
reference_id 2454488
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454488
8
reference_url https://github.com/advisories/GHSA-8vqr-qjwx-82mw
reference_id GHSA-8vqr-qjwx-82mw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8vqr-qjwx-82mw
9
reference_url https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw
reference_id GHSA-8vqr-qjwx-82mw
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:41:27Z/
url https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34829, GHSA-8vqr-qjwx-82mw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1j61-5e8x-7fbd
1
url VCID-2p73-rc9t-rudb
vulnerability_id VCID-2p73-rc9t-rudb
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34831
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.0776
published_at 2026-04-07T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.07801
published_at 2026-04-04T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.10699
published_at 2026-04-08T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.10578
published_at 2026-04-16T12:55:00Z
4
value 0.00036
scoring_system epss
scoring_elements 0.10714
published_at 2026-04-13T12:55:00Z
5
value 0.00036
scoring_system epss
scoring_elements 0.10738
published_at 2026-04-12T12:55:00Z
6
value 0.00036
scoring_system epss
scoring_elements 0.1077
published_at 2026-04-11T12:55:00Z
7
value 0.00036
scoring_system epss
scoring_elements 0.10755
published_at 2026-04-09T12:55:00Z
8
value 0.00038
scoring_system epss
scoring_elements 0.11443
published_at 2026-04-21T12:55:00Z
9
value 0.00038
scoring_system epss
scoring_elements 0.11321
published_at 2026-04-18T12:55:00Z
10
value 0.00038
scoring_system epss
scoring_elements 0.11388
published_at 2026-04-24T12:55:00Z
11
value 0.00038
scoring_system epss
scoring_elements 0.11346
published_at 2026-04-26T12:55:00Z
12
value 0.00038
scoring_system epss
scoring_elements 0.11277
published_at 2026-04-29T12:55:00Z
13
value 0.00041
scoring_system epss
scoring_elements 0.12669
published_at 2026-05-14T12:55:00Z
14
value 0.00041
scoring_system epss
scoring_elements 0.12384
published_at 2026-05-05T12:55:00Z
15
value 0.00041
scoring_system epss
scoring_elements 0.12523
published_at 2026-05-07T12:55:00Z
16
value 0.00041
scoring_system epss
scoring_elements 0.12581
published_at 2026-05-09T12:55:00Z
17
value 0.00041
scoring_system epss
scoring_elements 0.12577
published_at 2026-05-11T12:55:00Z
18
value 0.00041
scoring_system epss
scoring_elements 0.12603
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34831
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34831
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:43:52Z/
url https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34831.yml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34831.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34831
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34831
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454504
reference_id 2454504
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454504
9
reference_url https://github.com/advisories/GHSA-q2ww-5357-x388
reference_id GHSA-q2ww-5357-x388
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q2ww-5357-x388
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34831, GHSA-q2ww-5357-x388
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2p73-rc9t-rudb
2
url VCID-2qba-a6bp-ryak
vulnerability_id VCID-2qba-a6bp-ryak
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34785.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34785.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34785
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.08773
published_at 2026-04-07T12:55:00Z
1
value 0.00031
scoring_system epss
scoring_elements 0.08839
published_at 2026-04-04T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12341
published_at 2026-04-08T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12223
published_at 2026-04-16T12:55:00Z
4
value 0.00041
scoring_system epss
scoring_elements 0.12323
published_at 2026-04-13T12:55:00Z
5
value 0.00041
scoring_system epss
scoring_elements 0.12361
published_at 2026-04-12T12:55:00Z
6
value 0.00041
scoring_system epss
scoring_elements 0.12399
published_at 2026-04-11T12:55:00Z
7
value 0.00041
scoring_system epss
scoring_elements 0.12391
published_at 2026-04-09T12:55:00Z
8
value 0.00043
scoring_system epss
scoring_elements 0.13017
published_at 2026-04-21T12:55:00Z
9
value 0.00043
scoring_system epss
scoring_elements 0.12919
published_at 2026-04-18T12:55:00Z
10
value 0.00043
scoring_system epss
scoring_elements 0.129
published_at 2026-04-29T12:55:00Z
11
value 0.00043
scoring_system epss
scoring_elements 0.13038
published_at 2026-04-24T12:55:00Z
12
value 0.00043
scoring_system epss
scoring_elements 0.13006
published_at 2026-04-26T12:55:00Z
13
value 0.00047
scoring_system epss
scoring_elements 0.14452
published_at 2026-05-14T12:55:00Z
14
value 0.00047
scoring_system epss
scoring_elements 0.14101
published_at 2026-05-05T12:55:00Z
15
value 0.00047
scoring_system epss
scoring_elements 0.14253
published_at 2026-05-07T12:55:00Z
16
value 0.00047
scoring_system epss
scoring_elements 0.14342
published_at 2026-05-09T12:55:00Z
17
value 0.00047
scoring_system epss
scoring_elements 0.14328
published_at 2026-05-11T12:55:00Z
18
value 0.00047
scoring_system epss
scoring_elements 0.14369
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34785
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34785
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34785
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34785.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34785.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34785
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34785
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454486
reference_id 2454486
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454486
8
reference_url https://github.com/advisories/GHSA-h2jq-g4cq-5ppq
reference_id GHSA-h2jq-g4cq-5ppq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h2jq-g4cq-5ppq
9
reference_url https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
reference_id GHSA-h2jq-g4cq-5ppq
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:58:57Z/
url https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34785, GHSA-h2jq-g4cq-5ppq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2qba-a6bp-ryak
3
url VCID-5twm-pqc2-xyfn
vulnerability_id VCID-5twm-pqc2-xyfn
summary Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34835.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34835.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34835
reference_id
reference_type
scores
0
value 0.00064
scoring_system epss
scoring_elements 0.19887
published_at 2026-04-07T12:55:00Z
1
value 0.00064
scoring_system epss
scoring_elements 0.20158
published_at 2026-04-04T12:55:00Z
2
value 0.00103
scoring_system epss
scoring_elements 0.28125
published_at 2026-04-16T12:55:00Z
3
value 0.00103
scoring_system epss
scoring_elements 0.28205
published_at 2026-04-09T12:55:00Z
4
value 0.00103
scoring_system epss
scoring_elements 0.28213
published_at 2026-04-11T12:55:00Z
5
value 0.00103
scoring_system epss
scoring_elements 0.28171
published_at 2026-04-12T12:55:00Z
6
value 0.00103
scoring_system epss
scoring_elements 0.28113
published_at 2026-04-13T12:55:00Z
7
value 0.00103
scoring_system epss
scoring_elements 0.28107
published_at 2026-04-18T12:55:00Z
8
value 0.00103
scoring_system epss
scoring_elements 0.27794
published_at 2026-04-29T12:55:00Z
9
value 0.00103
scoring_system epss
scoring_elements 0.2787
published_at 2026-04-26T12:55:00Z
10
value 0.00103
scoring_system epss
scoring_elements 0.27982
published_at 2026-04-24T12:55:00Z
11
value 0.00103
scoring_system epss
scoring_elements 0.28063
published_at 2026-04-21T12:55:00Z
12
value 0.00103
scoring_system epss
scoring_elements 0.28163
published_at 2026-04-08T12:55:00Z
13
value 0.00112
scoring_system epss
scoring_elements 0.29236
published_at 2026-05-07T12:55:00Z
14
value 0.00112
scoring_system epss
scoring_elements 0.29176
published_at 2026-05-05T12:55:00Z
15
value 0.00112
scoring_system epss
scoring_elements 0.29193
published_at 2026-05-12T12:55:00Z
16
value 0.00112
scoring_system epss
scoring_elements 0.2925
published_at 2026-05-09T12:55:00Z
17
value 0.00112
scoring_system epss
scoring_elements 0.29173
published_at 2026-05-11T12:55:00Z
18
value 0.00152
scoring_system epss
scoring_elements 0.35452
published_at 2026-05-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34835
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34835
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34835
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34835.yml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34835.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34835
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34835
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454482
reference_id 2454482
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454482
8
reference_url https://github.com/advisories/GHSA-g2pf-xv49-m2h5
reference_id GHSA-g2pf-xv49-m2h5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g2pf-xv49-m2h5
9
reference_url https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5
reference_id GHSA-g2pf-xv49-m2h5
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:43:54Z/
url https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
1
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34835, GHSA-g2pf-xv49-m2h5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5twm-pqc2-xyfn
4
url VCID-7wvj-9h3p-23am
vulnerability_id VCID-7wvj-9h3p-23am
summary 
ReDoS Vulnerability in Rack::Multipart handle_mime_head
### Summary
There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571.

### Details

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

### Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-49007
reference_id
reference_type
scores
0
value 0.00569
scoring_system epss
scoring_elements 0.68752
published_at 2026-05-14T12:55:00Z
1
value 0.00569
scoring_system epss
scoring_elements 0.68698
published_at 2026-05-12T12:55:00Z
2
value 0.00569
scoring_system epss
scoring_elements 0.68674
published_at 2026-05-11T12:55:00Z
3
value 0.00569
scoring_system epss
scoring_elements 0.68707
published_at 2026-05-09T12:55:00Z
4
value 0.00569
scoring_system epss
scoring_elements 0.6867
published_at 2026-05-07T12:55:00Z
5
value 0.00569
scoring_system epss
scoring_elements 0.68627
published_at 2026-05-05T12:55:00Z
6
value 0.00569
scoring_system epss
scoring_elements 0.68648
published_at 2026-04-29T12:55:00Z
7
value 0.00569
scoring_system epss
scoring_elements 0.68643
published_at 2026-04-26T12:55:00Z
8
value 0.00569
scoring_system epss
scoring_elements 0.68638
published_at 2026-04-24T12:55:00Z
9
value 0.00569
scoring_system epss
scoring_elements 0.68589
published_at 2026-04-21T12:55:00Z
10
value 0.00569
scoring_system epss
scoring_elements 0.68576
published_at 2026-04-09T12:55:00Z
11
value 0.00569
scoring_system epss
scoring_elements 0.68507
published_at 2026-04-07T12:55:00Z
12
value 0.00569
scoring_system epss
scoring_elements 0.68558
published_at 2026-04-08T12:55:00Z
13
value 0.00569
scoring_system epss
scoring_elements 0.68602
published_at 2026-04-11T12:55:00Z
14
value 0.00569
scoring_system epss
scoring_elements 0.6851
published_at 2026-04-02T12:55:00Z
15
value 0.00569
scoring_system epss
scoring_elements 0.68611
published_at 2026-04-18T12:55:00Z
16
value 0.00569
scoring_system epss
scoring_elements 0.686
published_at 2026-04-16T12:55:00Z
17
value 0.00569
scoring_system epss
scoring_elements 0.6856
published_at 2026-04-13T12:55:00Z
18
value 0.00569
scoring_system epss
scoring_elements 0.68528
published_at 2026-04-04T12:55:00Z
19
value 0.00569
scoring_system epss
scoring_elements 0.6859
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-49007
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
5
reference_url https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49007
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-49007
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
reference_id 1107363
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2370346
reference_id 2370346
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2370346
11
reference_url https://github.com/advisories/GHSA-47m2-26rw-j2jw
reference_id GHSA-47m2-26rw-j2jw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-47m2-26rw-j2jw
fixed_packages
0
url pkg:gem/rack@3.1.16
purl pkg:gem/rack@3.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-7wvj-9h3p-23am
5
vulnerability VCID-9rpp-9xss-duf6
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c5sc-7qnn-mkb9
8
vulnerability VCID-d58r-22kr-9bct
9
vulnerability VCID-dh75-6jyw-1ke2
10
vulnerability VCID-j34j-bgfd-8fez
11
vulnerability VCID-jg77-mm5c-gydu
12
vulnerability VCID-m98a-mcyb-c7fm
13
vulnerability VCID-metf-cghw-p3b5
14
vulnerability VCID-npag-sz7d-v7b6
15
vulnerability VCID-p3dk-p1gb-kkem
16
vulnerability VCID-pbu7-4hdm-s3a6
17
vulnerability VCID-s971-gkdg-jkhc
18
vulnerability VCID-skxv-7he3-xqgc
19
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.16
aliases CVE-2025-49007, GHSA-47m2-26rw-j2jw
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7wvj-9h3p-23am
5
url VCID-9rpp-9xss-duf6
vulnerability_id VCID-9rpp-9xss-duf6
summary 
Rack has a Directory Traversal via Rack:Directory
## Summary

`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.

## Details

In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also. 

## Impact

Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).

## Mitigation

* Update to a patched version of Rack that correctly checks the root prefix.
* Don't name directories with the same prefix as one which is exposed via `Rack::Directory`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22860
reference_id
reference_type
scores
0
value 0.001
scoring_system epss
scoring_elements 0.27495
published_at 2026-04-26T12:55:00Z
1
value 0.001
scoring_system epss
scoring_elements 0.27602
published_at 2026-04-24T12:55:00Z
2
value 0.001
scoring_system epss
scoring_elements 0.27655
published_at 2026-04-21T12:55:00Z
3
value 0.001
scoring_system epss
scoring_elements 0.27694
published_at 2026-04-18T12:55:00Z
4
value 0.001
scoring_system epss
scoring_elements 0.2772
published_at 2026-04-16T12:55:00Z
5
value 0.001
scoring_system epss
scoring_elements 0.27712
published_at 2026-04-13T12:55:00Z
6
value 0.001
scoring_system epss
scoring_elements 0.27769
published_at 2026-04-12T12:55:00Z
7
value 0.001
scoring_system epss
scoring_elements 0.27811
published_at 2026-04-11T12:55:00Z
8
value 0.001
scoring_system epss
scoring_elements 0.27805
published_at 2026-04-09T12:55:00Z
9
value 0.001
scoring_system epss
scoring_elements 0.27762
published_at 2026-04-08T12:55:00Z
10
value 0.001
scoring_system epss
scoring_elements 0.27695
published_at 2026-04-07T12:55:00Z
11
value 0.001
scoring_system epss
scoring_elements 0.27862
published_at 2026-04-02T12:55:00Z
12
value 0.001
scoring_system epss
scoring_elements 0.27903
published_at 2026-04-04T12:55:00Z
13
value 0.00105
scoring_system epss
scoring_elements 0.28082
published_at 2026-05-14T12:55:00Z
14
value 0.00105
scoring_system epss
scoring_elements 0.28153
published_at 2026-04-29T12:55:00Z
15
value 0.00105
scoring_system epss
scoring_elements 0.27989
published_at 2026-05-05T12:55:00Z
16
value 0.00105
scoring_system epss
scoring_elements 0.2805
published_at 2026-05-07T12:55:00Z
17
value 0.00105
scoring_system epss
scoring_elements 0.28073
published_at 2026-05-09T12:55:00Z
18
value 0.00105
scoring_system epss
scoring_elements 0.27991
published_at 2026-05-11T12:55:00Z
19
value 0.00105
scoring_system epss
scoring_elements 0.28011
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22860
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/
url https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/
url https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22860
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22860
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
reference_id 1128479
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440737
reference_id 2440737
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440737
11
reference_url https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
reference_id GHSA-mxw3-3hh2-x2mh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
12
reference_url https://usn.ubuntu.com/8066-1/
reference_id USN-8066-1
reference_type
scores
url https://usn.ubuntu.com/8066-1/
fixed_packages
0
url pkg:gem/rack@2.2.22
purl pkg:gem/rack@2.2.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-j34j-bgfd-8fez
5
vulnerability VCID-jg77-mm5c-gydu
6
vulnerability VCID-m98a-mcyb-c7fm
7
vulnerability VCID-metf-cghw-p3b5
8
vulnerability VCID-p3dk-p1gb-kkem
9
vulnerability VCID-pbu7-4hdm-s3a6
10
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22
1
url pkg:gem/rack@3.1.20
purl pkg:gem/rack@3.1.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-dh75-6jyw-1ke2
5
vulnerability VCID-j34j-bgfd-8fez
6
vulnerability VCID-jg77-mm5c-gydu
7
vulnerability VCID-m98a-mcyb-c7fm
8
vulnerability VCID-metf-cghw-p3b5
9
vulnerability VCID-p3dk-p1gb-kkem
10
vulnerability VCID-pbu7-4hdm-s3a6
11
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20
2
url pkg:gem/rack@3.2.5
purl pkg:gem/rack@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-dh75-6jyw-1ke2
5
vulnerability VCID-j34j-bgfd-8fez
6
vulnerability VCID-jg77-mm5c-gydu
7
vulnerability VCID-m98a-mcyb-c7fm
8
vulnerability VCID-metf-cghw-p3b5
9
vulnerability VCID-p3dk-p1gb-kkem
10
vulnerability VCID-pbu7-4hdm-s3a6
11
vulnerability VCID-pnz8-yes1-pfc7
12
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5
aliases CVE-2026-22860, GHSA-mxw3-3hh2-x2mh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9rpp-9xss-duf6
6
url VCID-azu5-jcmd-3ufx
vulnerability_id VCID-azu5-jcmd-3ufx
summary 
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61772
reference_id
reference_type
scores
0
value 0.00193
scoring_system epss
scoring_elements 0.41278
published_at 2026-04-04T12:55:00Z
1
value 0.00193
scoring_system epss
scoring_elements 0.4118
published_at 2026-04-21T12:55:00Z
2
value 0.00193
scoring_system epss
scoring_elements 0.41252
published_at 2026-04-18T12:55:00Z
3
value 0.00193
scoring_system epss
scoring_elements 0.41281
published_at 2026-04-16T12:55:00Z
4
value 0.00193
scoring_system epss
scoring_elements 0.41238
published_at 2026-04-13T12:55:00Z
5
value 0.00193
scoring_system epss
scoring_elements 0.41249
published_at 2026-04-02T12:55:00Z
6
value 0.00193
scoring_system epss
scoring_elements 0.41251
published_at 2026-04-12T12:55:00Z
7
value 0.00193
scoring_system epss
scoring_elements 0.41283
published_at 2026-04-11T12:55:00Z
8
value 0.00193
scoring_system epss
scoring_elements 0.41261
published_at 2026-04-09T12:55:00Z
9
value 0.00193
scoring_system epss
scoring_elements 0.41253
published_at 2026-04-08T12:55:00Z
10
value 0.00193
scoring_system epss
scoring_elements 0.41203
published_at 2026-04-07T12:55:00Z
11
value 0.00193
scoring_system epss
scoring_elements 0.40983
published_at 2026-04-29T12:55:00Z
12
value 0.00193
scoring_system epss
scoring_elements 0.41064
published_at 2026-04-26T12:55:00Z
13
value 0.00193
scoring_system epss
scoring_elements 0.41069
published_at 2026-04-24T12:55:00Z
14
value 0.00211
scoring_system epss
scoring_elements 0.4346
published_at 2026-05-14T12:55:00Z
15
value 0.00221
scoring_system epss
scoring_elements 0.44494
published_at 2026-05-11T12:55:00Z
16
value 0.00221
scoring_system epss
scoring_elements 0.44557
published_at 2026-05-09T12:55:00Z
17
value 0.00221
scoring_system epss
scoring_elements 0.44539
published_at 2026-05-07T12:55:00Z
18
value 0.00221
scoring_system epss
scoring_elements 0.44469
published_at 2026-05-05T12:55:00Z
19
value 0.00221
scoring_system epss
scoring_elements 0.44523
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61772
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
6
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
7
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id 1117627
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402200
reference_id 2402200
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402200
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61772
reference_id CVE-2025-61772
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61772
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml
reference_id CVE-2025-61772.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml
12
reference_url https://github.com/advisories/GHSA-wpv5-97wm-hp9c
reference_id GHSA-wpv5-97wm-hp9c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wpv5-97wm-hp9c
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
reference_id GHSA-wpv5-97wm-hp9c
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
19
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
20
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
21
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
22
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
23
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
24
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
25
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@2.2.19
purl pkg:gem/rack@2.2.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-j34j-bgfd-8fez
7
vulnerability VCID-jg77-mm5c-gydu
8
vulnerability VCID-m98a-mcyb-c7fm
9
vulnerability VCID-metf-cghw-p3b5
10
vulnerability VCID-p3dk-p1gb-kkem
11
vulnerability VCID-pbu7-4hdm-s3a6
12
vulnerability VCID-s971-gkdg-jkhc
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19
1
url pkg:gem/rack@3.0.0.beta1
purl pkg:gem/rack@3.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-7p12-ejdu-uqgy
5
vulnerability VCID-7wvj-9h3p-23am
6
vulnerability VCID-9rpp-9xss-duf6
7
vulnerability VCID-arac-j5h5-zkcu
8
vulnerability VCID-azu5-jcmd-3ufx
9
vulnerability VCID-c21j-snf1-d3cb
10
vulnerability VCID-c5sc-7qnn-mkb9
11
vulnerability VCID-d58r-22kr-9bct
12
vulnerability VCID-dh75-6jyw-1ke2
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-j34j-bgfd-8fez
15
vulnerability VCID-jg77-mm5c-gydu
16
vulnerability VCID-m98a-mcyb-c7fm
17
vulnerability VCID-metf-cghw-p3b5
18
vulnerability VCID-npag-sz7d-v7b6
19
vulnerability VCID-p3dk-p1gb-kkem
20
vulnerability VCID-pbu7-4hdm-s3a6
21
vulnerability VCID-s971-gkdg-jkhc
22
vulnerability VCID-skxv-7he3-xqgc
23
vulnerability VCID-vkrw-y1j6-6fe7
24
vulnerability VCID-wvs1-dhwp-ebat
25
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1
2
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-dh75-6jyw-1ke2
7
vulnerability VCID-j34j-bgfd-8fez
8
vulnerability VCID-jg77-mm5c-gydu
9
vulnerability VCID-m98a-mcyb-c7fm
10
vulnerability VCID-metf-cghw-p3b5
11
vulnerability VCID-p3dk-p1gb-kkem
12
vulnerability VCID-pbu7-4hdm-s3a6
13
vulnerability VCID-s971-gkdg-jkhc
14
vulnerability VCID-skxv-7he3-xqgc
15
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
3
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-dh75-6jyw-1ke2
7
vulnerability VCID-j34j-bgfd-8fez
8
vulnerability VCID-jg77-mm5c-gydu
9
vulnerability VCID-m98a-mcyb-c7fm
10
vulnerability VCID-metf-cghw-p3b5
11
vulnerability VCID-p3dk-p1gb-kkem
12
vulnerability VCID-pbu7-4hdm-s3a6
13
vulnerability VCID-pnz8-yes1-pfc7
14
vulnerability VCID-s971-gkdg-jkhc
15
vulnerability VCID-skxv-7he3-xqgc
16
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61772, GHSA-wpv5-97wm-hp9c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-azu5-jcmd-3ufx
7
url VCID-c5sc-7qnn-mkb9
vulnerability_id VCID-c5sc-7qnn-mkb9
summary 
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61771
reference_id
reference_type
scores
0
value 0.00098
scoring_system epss
scoring_elements 0.26973
published_at 2026-04-18T12:55:00Z
1
value 0.00098
scoring_system epss
scoring_elements 0.26816
published_at 2026-04-29T12:55:00Z
2
value 0.00098
scoring_system epss
scoring_elements 0.2688
published_at 2026-04-26T12:55:00Z
3
value 0.00098
scoring_system epss
scoring_elements 0.26888
published_at 2026-04-24T12:55:00Z
4
value 0.00098
scoring_system epss
scoring_elements 0.26937
published_at 2026-04-21T12:55:00Z
5
value 0.00098
scoring_system epss
scoring_elements 0.26999
published_at 2026-04-16T12:55:00Z
6
value 0.00098
scoring_system epss
scoring_elements 0.2699
published_at 2026-04-13T12:55:00Z
7
value 0.00098
scoring_system epss
scoring_elements 0.27146
published_at 2026-04-02T12:55:00Z
8
value 0.00098
scoring_system epss
scoring_elements 0.27047
published_at 2026-04-12T12:55:00Z
9
value 0.00098
scoring_system epss
scoring_elements 0.27091
published_at 2026-04-11T12:55:00Z
10
value 0.00098
scoring_system epss
scoring_elements 0.27087
published_at 2026-04-09T12:55:00Z
11
value 0.00098
scoring_system epss
scoring_elements 0.27182
published_at 2026-04-04T12:55:00Z
12
value 0.00098
scoring_system epss
scoring_elements 0.27042
published_at 2026-04-08T12:55:00Z
13
value 0.00107
scoring_system epss
scoring_elements 0.28554
published_at 2026-05-14T12:55:00Z
14
value 0.00113
scoring_system epss
scoring_elements 0.29345
published_at 2026-05-12T12:55:00Z
15
value 0.00113
scoring_system epss
scoring_elements 0.29328
published_at 2026-05-05T12:55:00Z
16
value 0.00113
scoring_system epss
scoring_elements 0.29404
published_at 2026-05-09T12:55:00Z
17
value 0.00113
scoring_system epss
scoring_elements 0.29325
published_at 2026-05-11T12:55:00Z
18
value 0.00113
scoring_system epss
scoring_elements 0.29391
published_at 2026-05-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61771
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
6
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
7
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
reference_id 1117628
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402175
reference_id 2402175
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402175
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61771
reference_id CVE-2025-61771
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61771
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
reference_id CVE-2025-61771.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
12
reference_url https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
reference_id GHSA-w9pc-fmgc-vxvw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
reference_id GHSA-w9pc-fmgc-vxvw
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
19
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
20
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
21
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
22
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
23
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
24
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@2.2.19
purl pkg:gem/rack@2.2.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-j34j-bgfd-8fez
7
vulnerability VCID-jg77-mm5c-gydu
8
vulnerability VCID-m98a-mcyb-c7fm
9
vulnerability VCID-metf-cghw-p3b5
10
vulnerability VCID-p3dk-p1gb-kkem
11
vulnerability VCID-pbu7-4hdm-s3a6
12
vulnerability VCID-s971-gkdg-jkhc
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19
1
url pkg:gem/rack@3.0.0.beta1
purl pkg:gem/rack@3.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-7p12-ejdu-uqgy
5
vulnerability VCID-7wvj-9h3p-23am
6
vulnerability VCID-9rpp-9xss-duf6
7
vulnerability VCID-arac-j5h5-zkcu
8
vulnerability VCID-azu5-jcmd-3ufx
9
vulnerability VCID-c21j-snf1-d3cb
10
vulnerability VCID-c5sc-7qnn-mkb9
11
vulnerability VCID-d58r-22kr-9bct
12
vulnerability VCID-dh75-6jyw-1ke2
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-j34j-bgfd-8fez
15
vulnerability VCID-jg77-mm5c-gydu
16
vulnerability VCID-m98a-mcyb-c7fm
17
vulnerability VCID-metf-cghw-p3b5
18
vulnerability VCID-npag-sz7d-v7b6
19
vulnerability VCID-p3dk-p1gb-kkem
20
vulnerability VCID-pbu7-4hdm-s3a6
21
vulnerability VCID-s971-gkdg-jkhc
22
vulnerability VCID-skxv-7he3-xqgc
23
vulnerability VCID-vkrw-y1j6-6fe7
24
vulnerability VCID-wvs1-dhwp-ebat
25
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1
2
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-dh75-6jyw-1ke2
7
vulnerability VCID-j34j-bgfd-8fez
8
vulnerability VCID-jg77-mm5c-gydu
9
vulnerability VCID-m98a-mcyb-c7fm
10
vulnerability VCID-metf-cghw-p3b5
11
vulnerability VCID-p3dk-p1gb-kkem
12
vulnerability VCID-pbu7-4hdm-s3a6
13
vulnerability VCID-s971-gkdg-jkhc
14
vulnerability VCID-skxv-7he3-xqgc
15
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
3
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-dh75-6jyw-1ke2
7
vulnerability VCID-j34j-bgfd-8fez
8
vulnerability VCID-jg77-mm5c-gydu
9
vulnerability VCID-m98a-mcyb-c7fm
10
vulnerability VCID-metf-cghw-p3b5
11
vulnerability VCID-p3dk-p1gb-kkem
12
vulnerability VCID-pbu7-4hdm-s3a6
13
vulnerability VCID-pnz8-yes1-pfc7
14
vulnerability VCID-s971-gkdg-jkhc
15
vulnerability VCID-skxv-7he3-xqgc
16
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61771, GHSA-w9pc-fmgc-vxvw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c5sc-7qnn-mkb9
8
url VCID-d58r-22kr-9bct
vulnerability_id VCID-d58r-22kr-9bct
summary 
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61780
reference_id
reference_type
scores
0
value 0.00035
scoring_system epss
scoring_elements 0.10394
published_at 2026-04-04T12:55:00Z
1
value 0.00035
scoring_system epss
scoring_elements 0.10238
published_at 2026-04-18T12:55:00Z
2
value 0.00035
scoring_system epss
scoring_elements 0.10267
published_at 2026-04-16T12:55:00Z
3
value 0.00035
scoring_system epss
scoring_elements 0.10396
published_at 2026-04-13T12:55:00Z
4
value 0.00035
scoring_system epss
scoring_elements 0.10328
published_at 2026-04-02T12:55:00Z
5
value 0.00035
scoring_system epss
scoring_elements 0.10418
published_at 2026-04-12T12:55:00Z
6
value 0.00035
scoring_system epss
scoring_elements 0.10462
published_at 2026-04-11T12:55:00Z
7
value 0.00035
scoring_system epss
scoring_elements 0.10434
published_at 2026-04-09T12:55:00Z
8
value 0.00035
scoring_system epss
scoring_elements 0.10368
published_at 2026-04-08T12:55:00Z
9
value 0.00035
scoring_system epss
scoring_elements 0.10294
published_at 2026-04-07T12:55:00Z
10
value 0.00035
scoring_system epss
scoring_elements 0.10234
published_at 2026-05-05T12:55:00Z
11
value 0.00035
scoring_system epss
scoring_elements 0.10285
published_at 2026-04-29T12:55:00Z
12
value 0.00035
scoring_system epss
scoring_elements 0.10343
published_at 2026-04-26T12:55:00Z
13
value 0.00035
scoring_system epss
scoring_elements 0.10351
published_at 2026-04-24T12:55:00Z
14
value 0.00035
scoring_system epss
scoring_elements 0.10369
published_at 2026-04-21T12:55:00Z
15
value 0.0004
scoring_system epss
scoring_elements 0.12261
published_at 2026-05-14T12:55:00Z
16
value 0.0004
scoring_system epss
scoring_elements 0.12172
published_at 2026-05-11T12:55:00Z
17
value 0.0004
scoring_system epss
scoring_elements 0.12192
published_at 2026-05-09T12:55:00Z
18
value 0.0004
scoring_system epss
scoring_elements 0.12135
published_at 2026-05-07T12:55:00Z
19
value 0.0004
scoring_system epss
scoring_elements 0.12195
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61780
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
6
reference_url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
7
reference_url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
reference_id 1117855
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
reference_id 2403126
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
reference_id CVE-2025-61780
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
reference_id CVE-2025-61780.YML
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
12
reference_url https://github.com/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r657-rxjc-j557
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements
1
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
14
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@2.2.20
purl pkg:gem/rack@2.2.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-j34j-bgfd-8fez
6
vulnerability VCID-jg77-mm5c-gydu
7
vulnerability VCID-m98a-mcyb-c7fm
8
vulnerability VCID-metf-cghw-p3b5
9
vulnerability VCID-p3dk-p1gb-kkem
10
vulnerability VCID-pbu7-4hdm-s3a6
11
vulnerability VCID-skxv-7he3-xqgc
12
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20
1
url pkg:gem/rack@3.0.0.beta1
purl pkg:gem/rack@3.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-7p12-ejdu-uqgy
5
vulnerability VCID-7wvj-9h3p-23am
6
vulnerability VCID-9rpp-9xss-duf6
7
vulnerability VCID-arac-j5h5-zkcu
8
vulnerability VCID-azu5-jcmd-3ufx
9
vulnerability VCID-c21j-snf1-d3cb
10
vulnerability VCID-c5sc-7qnn-mkb9
11
vulnerability VCID-d58r-22kr-9bct
12
vulnerability VCID-dh75-6jyw-1ke2
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-j34j-bgfd-8fez
15
vulnerability VCID-jg77-mm5c-gydu
16
vulnerability VCID-m98a-mcyb-c7fm
17
vulnerability VCID-metf-cghw-p3b5
18
vulnerability VCID-npag-sz7d-v7b6
19
vulnerability VCID-p3dk-p1gb-kkem
20
vulnerability VCID-pbu7-4hdm-s3a6
21
vulnerability VCID-s971-gkdg-jkhc
22
vulnerability VCID-skxv-7he3-xqgc
23
vulnerability VCID-vkrw-y1j6-6fe7
24
vulnerability VCID-wvs1-dhwp-ebat
25
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1
2
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-dh75-6jyw-1ke2
6
vulnerability VCID-j34j-bgfd-8fez
7
vulnerability VCID-jg77-mm5c-gydu
8
vulnerability VCID-m98a-mcyb-c7fm
9
vulnerability VCID-metf-cghw-p3b5
10
vulnerability VCID-p3dk-p1gb-kkem
11
vulnerability VCID-pbu7-4hdm-s3a6
12
vulnerability VCID-skxv-7he3-xqgc
13
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
3
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-dh75-6jyw-1ke2
6
vulnerability VCID-j34j-bgfd-8fez
7
vulnerability VCID-jg77-mm5c-gydu
8
vulnerability VCID-m98a-mcyb-c7fm
9
vulnerability VCID-metf-cghw-p3b5
10
vulnerability VCID-p3dk-p1gb-kkem
11
vulnerability VCID-pbu7-4hdm-s3a6
12
vulnerability VCID-pnz8-yes1-pfc7
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61780, GHSA-r657-rxjc-j557
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d58r-22kr-9bct
9
url VCID-gdhf-e8q1-kbat
vulnerability_id VCID-gdhf-e8q1-kbat
summary 
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59830
reference_id
reference_type
scores
0
value 0.00069
scoring_system epss
scoring_elements 0.21206
published_at 2026-04-18T12:55:00Z
1
value 0.00069
scoring_system epss
scoring_elements 0.21196
published_at 2026-04-16T12:55:00Z
2
value 0.00069
scoring_system epss
scoring_elements 0.21203
published_at 2026-04-13T12:55:00Z
3
value 0.00069
scoring_system epss
scoring_elements 0.21256
published_at 2026-04-12T12:55:00Z
4
value 0.00069
scoring_system epss
scoring_elements 0.21297
published_at 2026-04-11T12:55:00Z
5
value 0.00069
scoring_system epss
scoring_elements 0.21287
published_at 2026-04-09T12:55:00Z
6
value 0.00069
scoring_system epss
scoring_elements 0.21225
published_at 2026-04-08T12:55:00Z
7
value 0.00069
scoring_system epss
scoring_elements 0.21145
published_at 2026-04-07T12:55:00Z
8
value 0.00069
scoring_system epss
scoring_elements 0.21337
published_at 2026-04-02T12:55:00Z
9
value 0.00069
scoring_system epss
scoring_elements 0.21392
published_at 2026-04-04T12:55:00Z
10
value 0.00071
scoring_system epss
scoring_elements 0.21566
published_at 2026-05-14T12:55:00Z
11
value 0.00071
scoring_system epss
scoring_elements 0.21344
published_at 2026-05-05T12:55:00Z
12
value 0.00071
scoring_system epss
scoring_elements 0.21411
published_at 2026-05-07T12:55:00Z
13
value 0.00071
scoring_system epss
scoring_elements 0.21497
published_at 2026-05-09T12:55:00Z
14
value 0.00071
scoring_system epss
scoring_elements 0.21474
published_at 2026-05-11T12:55:00Z
15
value 0.00071
scoring_system epss
scoring_elements 0.21494
published_at 2026-05-12T12:55:00Z
16
value 0.00074
scoring_system epss
scoring_elements 0.22371
published_at 2026-04-21T12:55:00Z
17
value 0.00074
scoring_system epss
scoring_elements 0.22201
published_at 2026-04-29T12:55:00Z
18
value 0.00074
scoring_system epss
scoring_elements 0.22207
published_at 2026-04-26T12:55:00Z
19
value 0.00074
scoring_system epss
scoring_elements 0.22221
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59830
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/
url https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431
reference_id 1116431
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2398167
reference_id 2398167
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2398167
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59830
reference_id CVE-2025-59830
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59830
9
reference_url https://github.com/advisories/GHSA-625h-95r8-8xpm
reference_id GHSA-625h-95r8-8xpm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-625h-95r8-8xpm
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm
reference_id GHSA-625h-95r8-8xpm
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/
url https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm
11
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
12
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
13
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
14
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
15
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
16
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
17
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
18
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
19
reference_url https://access.redhat.com/errata/RHSA-2025:19832
reference_id RHSA-2025:19832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19832
20
reference_url https://access.redhat.com/errata/RHSA-2025:19855
reference_id RHSA-2025:19855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19855
21
reference_url https://access.redhat.com/errata/RHSA-2025:19856
reference_id RHSA-2025:19856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19856
22
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
23
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
24
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
25
reference_url https://usn.ubuntu.com/7784-1/
reference_id USN-7784-1
reference_type
scores
url https://usn.ubuntu.com/7784-1/
26
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@2.2.18
purl pkg:gem/rack@2.2.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-azu5-jcmd-3ufx
6
vulnerability VCID-c5sc-7qnn-mkb9
7
vulnerability VCID-d58r-22kr-9bct
8
vulnerability VCID-j34j-bgfd-8fez
9
vulnerability VCID-jg77-mm5c-gydu
10
vulnerability VCID-m98a-mcyb-c7fm
11
vulnerability VCID-metf-cghw-p3b5
12
vulnerability VCID-npag-sz7d-v7b6
13
vulnerability VCID-p3dk-p1gb-kkem
14
vulnerability VCID-pbu7-4hdm-s3a6
15
vulnerability VCID-s971-gkdg-jkhc
16
vulnerability VCID-skxv-7he3-xqgc
17
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.18
1
url pkg:gem/rack@3.0.0.beta1
purl pkg:gem/rack@3.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-7p12-ejdu-uqgy
5
vulnerability VCID-7wvj-9h3p-23am
6
vulnerability VCID-9rpp-9xss-duf6
7
vulnerability VCID-arac-j5h5-zkcu
8
vulnerability VCID-azu5-jcmd-3ufx
9
vulnerability VCID-c21j-snf1-d3cb
10
vulnerability VCID-c5sc-7qnn-mkb9
11
vulnerability VCID-d58r-22kr-9bct
12
vulnerability VCID-dh75-6jyw-1ke2
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-j34j-bgfd-8fez
15
vulnerability VCID-jg77-mm5c-gydu
16
vulnerability VCID-m98a-mcyb-c7fm
17
vulnerability VCID-metf-cghw-p3b5
18
vulnerability VCID-npag-sz7d-v7b6
19
vulnerability VCID-p3dk-p1gb-kkem
20
vulnerability VCID-pbu7-4hdm-s3a6
21
vulnerability VCID-s971-gkdg-jkhc
22
vulnerability VCID-skxv-7he3-xqgc
23
vulnerability VCID-vkrw-y1j6-6fe7
24
vulnerability VCID-wvs1-dhwp-ebat
25
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1
aliases CVE-2025-59830, GHSA-625h-95r8-8xpm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gdhf-e8q1-kbat
10
url VCID-j34j-bgfd-8fez
vulnerability_id VCID-j34j-bgfd-8fez
summary Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32762.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32762.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32762
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.0776
published_at 2026-04-07T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.07801
published_at 2026-04-04T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.10699
published_at 2026-04-08T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.10714
published_at 2026-04-13T12:55:00Z
4
value 0.00036
scoring_system epss
scoring_elements 0.10738
published_at 2026-04-12T12:55:00Z
5
value 0.00036
scoring_system epss
scoring_elements 0.1077
published_at 2026-04-11T12:55:00Z
6
value 0.00036
scoring_system epss
scoring_elements 0.10755
published_at 2026-04-09T12:55:00Z
7
value 0.00036
scoring_system epss
scoring_elements 0.10592
published_at 2026-04-18T12:55:00Z
8
value 0.00036
scoring_system epss
scoring_elements 0.10578
published_at 2026-04-16T12:55:00Z
9
value 0.00044
scoring_system epss
scoring_elements 0.13544
published_at 2026-04-21T12:55:00Z
10
value 0.00044
scoring_system epss
scoring_elements 0.13527
published_at 2026-04-26T12:55:00Z
11
value 0.00044
scoring_system epss
scoring_elements 0.13418
published_at 2026-04-29T12:55:00Z
12
value 0.00044
scoring_system epss
scoring_elements 0.13555
published_at 2026-04-24T12:55:00Z
13
value 0.00048
scoring_system epss
scoring_elements 0.15061
published_at 2026-05-14T12:55:00Z
14
value 0.00048
scoring_system epss
scoring_elements 0.14732
published_at 2026-05-05T12:55:00Z
15
value 0.00048
scoring_system epss
scoring_elements 0.14858
published_at 2026-05-07T12:55:00Z
16
value 0.00048
scoring_system epss
scoring_elements 0.14948
published_at 2026-05-09T12:55:00Z
17
value 0.00048
scoring_system epss
scoring_elements 0.14936
published_at 2026-05-11T12:55:00Z
18
value 0.00048
scoring_system epss
scoring_elements 0.14982
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32762
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32762
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32762
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-32762.yml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-32762.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32762
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32762
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454489
reference_id 2454489
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454489
8
reference_url https://github.com/advisories/GHSA-qfgr-crr9-7r49
reference_id GHSA-qfgr-crr9-7r49
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qfgr-crr9-7r49
9
reference_url https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
reference_id GHSA-qfgr-crr9-7r49
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:42:32Z/
url https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
1
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-32762, GHSA-qfgr-crr9-7r49
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j34j-bgfd-8fez
11
url VCID-jg77-mm5c-gydu
vulnerability_id VCID-jg77-mm5c-gydu
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34763.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34763.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34763
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.0776
published_at 2026-04-07T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.07801
published_at 2026-04-04T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.10699
published_at 2026-04-08T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.10578
published_at 2026-04-16T12:55:00Z
4
value 0.00036
scoring_system epss
scoring_elements 0.10714
published_at 2026-04-13T12:55:00Z
5
value 0.00036
scoring_system epss
scoring_elements 0.10738
published_at 2026-04-12T12:55:00Z
6
value 0.00036
scoring_system epss
scoring_elements 0.1077
published_at 2026-04-11T12:55:00Z
7
value 0.00036
scoring_system epss
scoring_elements 0.10755
published_at 2026-04-09T12:55:00Z
8
value 0.00038
scoring_system epss
scoring_elements 0.11443
published_at 2026-04-21T12:55:00Z
9
value 0.00038
scoring_system epss
scoring_elements 0.11321
published_at 2026-04-18T12:55:00Z
10
value 0.00038
scoring_system epss
scoring_elements 0.11277
published_at 2026-04-29T12:55:00Z
11
value 0.00038
scoring_system epss
scoring_elements 0.11388
published_at 2026-04-24T12:55:00Z
12
value 0.00038
scoring_system epss
scoring_elements 0.11346
published_at 2026-04-26T12:55:00Z
13
value 0.00041
scoring_system epss
scoring_elements 0.12669
published_at 2026-05-14T12:55:00Z
14
value 0.00041
scoring_system epss
scoring_elements 0.12384
published_at 2026-05-05T12:55:00Z
15
value 0.00041
scoring_system epss
scoring_elements 0.12523
published_at 2026-05-07T12:55:00Z
16
value 0.00041
scoring_system epss
scoring_elements 0.12581
published_at 2026-05-09T12:55:00Z
17
value 0.00041
scoring_system epss
scoring_elements 0.12577
published_at 2026-05-11T12:55:00Z
18
value 0.00041
scoring_system epss
scoring_elements 0.12603
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34763
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34763
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34763
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34763.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34763.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34763
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34763
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454498
reference_id 2454498
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454498
8
reference_url https://github.com/advisories/GHSA-7mqq-6cf9-v2qp
reference_id GHSA-7mqq-6cf9-v2qp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7mqq-6cf9-v2qp
9
reference_url https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
reference_id GHSA-7mqq-6cf9-v2qp
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:41:04Z/
url https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34763, GHSA-7mqq-6cf9-v2qp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jg77-mm5c-gydu
12
url VCID-m98a-mcyb-c7fm
vulnerability_id VCID-m98a-mcyb-c7fm
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34786
reference_id
reference_type
scores
0
value 0.00029
scoring_system epss
scoring_elements 0.08165
published_at 2026-04-07T12:55:00Z
1
value 0.00029
scoring_system epss
scoring_elements 0.08219
published_at 2026-04-04T12:55:00Z
2
value 0.00038
scoring_system epss
scoring_elements 0.11376
published_at 2026-04-08T12:55:00Z
3
value 0.00038
scoring_system epss
scoring_elements 0.11236
published_at 2026-04-16T12:55:00Z
4
value 0.00038
scoring_system epss
scoring_elements 0.11377
published_at 2026-04-13T12:55:00Z
5
value 0.00038
scoring_system epss
scoring_elements 0.11407
published_at 2026-04-12T12:55:00Z
6
value 0.00038
scoring_system epss
scoring_elements 0.1144
published_at 2026-04-11T12:55:00Z
7
value 0.00038
scoring_system epss
scoring_elements 0.11434
published_at 2026-04-09T12:55:00Z
8
value 0.0004
scoring_system epss
scoring_elements 0.12129
published_at 2026-04-21T12:55:00Z
9
value 0.0004
scoring_system epss
scoring_elements 0.12015
published_at 2026-04-18T12:55:00Z
10
value 0.0004
scoring_system epss
scoring_elements 0.1211
published_at 2026-04-24T12:55:00Z
11
value 0.0004
scoring_system epss
scoring_elements 0.12077
published_at 2026-04-26T12:55:00Z
12
value 0.0004
scoring_system epss
scoring_elements 0.11977
published_at 2026-04-29T12:55:00Z
13
value 0.00044
scoring_system epss
scoring_elements 0.13428
published_at 2026-05-14T12:55:00Z
14
value 0.00044
scoring_system epss
scoring_elements 0.13087
published_at 2026-05-05T12:55:00Z
15
value 0.00044
scoring_system epss
scoring_elements 0.13242
published_at 2026-05-07T12:55:00Z
16
value 0.00044
scoring_system epss
scoring_elements 0.13324
published_at 2026-05-09T12:55:00Z
17
value 0.00044
scoring_system epss
scoring_elements 0.13318
published_at 2026-05-11T12:55:00Z
18
value 0.00044
scoring_system epss
scoring_elements 0.13349
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34786
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:37:20Z/
url https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34786.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34786.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34786
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34786
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454507
reference_id 2454507
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454507
9
reference_url https://github.com/advisories/GHSA-q4qf-9j86-f5mh
reference_id GHSA-q4qf-9j86-f5mh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q4qf-9j86-f5mh
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34786, GHSA-q4qf-9j86-f5mh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m98a-mcyb-c7fm
13
url VCID-metf-cghw-p3b5
vulnerability_id VCID-metf-cghw-p3b5
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34826.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34826.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34826
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05072
published_at 2026-04-21T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05145
published_at 2026-04-29T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.05146
published_at 2026-04-26T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.05104
published_at 2026-04-24T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05733
published_at 2026-05-05T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05896
published_at 2026-05-14T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.0589
published_at 2026-05-12T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.05889
published_at 2026-05-11T12:55:00Z
8
value 0.00021
scoring_system epss
scoring_elements 0.05875
published_at 2026-05-09T12:55:00Z
9
value 0.00021
scoring_system epss
scoring_elements 0.05809
published_at 2026-05-07T12:55:00Z
10
value 0.00039
scoring_system epss
scoring_elements 0.11785
published_at 2026-04-04T12:55:00Z
11
value 0.00039
scoring_system epss
scoring_elements 0.11569
published_at 2026-04-07T12:55:00Z
12
value 0.00051
scoring_system epss
scoring_elements 0.15856
published_at 2026-04-12T12:55:00Z
13
value 0.00051
scoring_system epss
scoring_elements 0.15857
published_at 2026-04-08T12:55:00Z
14
value 0.00051
scoring_system epss
scoring_elements 0.1592
published_at 2026-04-09T12:55:00Z
15
value 0.00051
scoring_system epss
scoring_elements 0.15894
published_at 2026-04-11T12:55:00Z
16
value 0.00051
scoring_system epss
scoring_elements 0.15787
published_at 2026-04-13T12:55:00Z
17
value 0.00051
scoring_system epss
scoring_elements 0.15709
published_at 2026-04-16T12:55:00Z
18
value 0.00058
scoring_system epss
scoring_elements 0.18187
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34826
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34826
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34826
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:42:34Z/
url https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34826.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34826.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34826
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34826
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454508
reference_id 2454508
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454508
9
reference_url https://github.com/advisories/GHSA-x8cg-fq8g-mxfx
reference_id GHSA-x8cg-fq8g-mxfx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x8cg-fq8g-mxfx
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34826, GHSA-x8cg-fq8g-mxfx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-metf-cghw-p3b5
14
url VCID-npag-sz7d-v7b6
vulnerability_id VCID-npag-sz7d-v7b6
summary 
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61770
reference_id
reference_type
scores
0
value 0.00158
scoring_system epss
scoring_elements 0.3673
published_at 2026-04-08T12:55:00Z
1
value 0.00158
scoring_system epss
scoring_elements 0.36408
published_at 2026-04-26T12:55:00Z
2
value 0.00158
scoring_system epss
scoring_elements 0.36438
published_at 2026-04-24T12:55:00Z
3
value 0.00158
scoring_system epss
scoring_elements 0.36663
published_at 2026-04-21T12:55:00Z
4
value 0.00158
scoring_system epss
scoring_elements 0.36723
published_at 2026-04-18T12:55:00Z
5
value 0.00158
scoring_system epss
scoring_elements 0.3674
published_at 2026-04-16T12:55:00Z
6
value 0.00158
scoring_system epss
scoring_elements 0.36812
published_at 2026-04-02T12:55:00Z
7
value 0.00158
scoring_system epss
scoring_elements 0.36695
published_at 2026-04-13T12:55:00Z
8
value 0.00158
scoring_system epss
scoring_elements 0.36721
published_at 2026-04-12T12:55:00Z
9
value 0.00158
scoring_system epss
scoring_elements 0.36756
published_at 2026-04-11T12:55:00Z
10
value 0.00158
scoring_system epss
scoring_elements 0.36844
published_at 2026-04-04T12:55:00Z
11
value 0.00158
scoring_system epss
scoring_elements 0.3668
published_at 2026-04-07T12:55:00Z
12
value 0.00158
scoring_system epss
scoring_elements 0.36747
published_at 2026-04-09T12:55:00Z
13
value 0.00158
scoring_system epss
scoring_elements 0.3632
published_at 2026-04-29T12:55:00Z
14
value 0.00173
scoring_system epss
scoring_elements 0.38369
published_at 2026-05-14T12:55:00Z
15
value 0.00182
scoring_system epss
scoring_elements 0.39461
published_at 2026-05-12T12:55:00Z
16
value 0.00182
scoring_system epss
scoring_elements 0.3944
published_at 2026-05-05T12:55:00Z
17
value 0.00182
scoring_system epss
scoring_elements 0.39522
published_at 2026-05-09T12:55:00Z
18
value 0.00182
scoring_system epss
scoring_elements 0.39435
published_at 2026-05-11T12:55:00Z
19
value 0.00182
scoring_system epss
scoring_elements 0.39506
published_at 2026-05-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61770
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
6
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
7
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id 1117627
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402174
reference_id 2402174
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402174
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61770
reference_id CVE-2025-61770
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61770
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml
reference_id CVE-2025-61770.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml
12
reference_url https://github.com/advisories/GHSA-p543-xpfm-54cp
reference_id GHSA-p543-xpfm-54cp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p543-xpfm-54cp
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
reference_id GHSA-p543-xpfm-54cp
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
19
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
20
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
21
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
22
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
23
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
24
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
25
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
26
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@2.2.19
purl pkg:gem/rack@2.2.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-j34j-bgfd-8fez
7
vulnerability VCID-jg77-mm5c-gydu
8
vulnerability VCID-m98a-mcyb-c7fm
9
vulnerability VCID-metf-cghw-p3b5
10
vulnerability VCID-p3dk-p1gb-kkem
11
vulnerability VCID-pbu7-4hdm-s3a6
12
vulnerability VCID-s971-gkdg-jkhc
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19
1
url pkg:gem/rack@3.0.0.beta1
purl pkg:gem/rack@3.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-7p12-ejdu-uqgy
5
vulnerability VCID-7wvj-9h3p-23am
6
vulnerability VCID-9rpp-9xss-duf6
7
vulnerability VCID-arac-j5h5-zkcu
8
vulnerability VCID-azu5-jcmd-3ufx
9
vulnerability VCID-c21j-snf1-d3cb
10
vulnerability VCID-c5sc-7qnn-mkb9
11
vulnerability VCID-d58r-22kr-9bct
12
vulnerability VCID-dh75-6jyw-1ke2
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-j34j-bgfd-8fez
15
vulnerability VCID-jg77-mm5c-gydu
16
vulnerability VCID-m98a-mcyb-c7fm
17
vulnerability VCID-metf-cghw-p3b5
18
vulnerability VCID-npag-sz7d-v7b6
19
vulnerability VCID-p3dk-p1gb-kkem
20
vulnerability VCID-pbu7-4hdm-s3a6
21
vulnerability VCID-s971-gkdg-jkhc
22
vulnerability VCID-skxv-7he3-xqgc
23
vulnerability VCID-vkrw-y1j6-6fe7
24
vulnerability VCID-wvs1-dhwp-ebat
25
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1
2
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-dh75-6jyw-1ke2
7
vulnerability VCID-j34j-bgfd-8fez
8
vulnerability VCID-jg77-mm5c-gydu
9
vulnerability VCID-m98a-mcyb-c7fm
10
vulnerability VCID-metf-cghw-p3b5
11
vulnerability VCID-p3dk-p1gb-kkem
12
vulnerability VCID-pbu7-4hdm-s3a6
13
vulnerability VCID-s971-gkdg-jkhc
14
vulnerability VCID-skxv-7he3-xqgc
15
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
3
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-dh75-6jyw-1ke2
7
vulnerability VCID-j34j-bgfd-8fez
8
vulnerability VCID-jg77-mm5c-gydu
9
vulnerability VCID-m98a-mcyb-c7fm
10
vulnerability VCID-metf-cghw-p3b5
11
vulnerability VCID-p3dk-p1gb-kkem
12
vulnerability VCID-pbu7-4hdm-s3a6
13
vulnerability VCID-pnz8-yes1-pfc7
14
vulnerability VCID-s971-gkdg-jkhc
15
vulnerability VCID-skxv-7he3-xqgc
16
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61770, GHSA-p543-xpfm-54cp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-npag-sz7d-v7b6
15
url VCID-p3dk-p1gb-kkem
vulnerability_id VCID-p3dk-p1gb-kkem
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34230
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05546
published_at 2026-04-21T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05617
published_at 2026-04-29T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05616
published_at 2026-04-26T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.0558
published_at 2026-04-24T12:55:00Z
4
value 0.00022
scoring_system epss
scoring_elements 0.06251
published_at 2026-05-07T12:55:00Z
5
value 0.00022
scoring_system epss
scoring_elements 0.0615
published_at 2026-05-05T12:55:00Z
6
value 0.00022
scoring_system epss
scoring_elements 0.0636
published_at 2026-05-14T12:55:00Z
7
value 0.00022
scoring_system epss
scoring_elements 0.06349
published_at 2026-05-12T12:55:00Z
8
value 0.00022
scoring_system epss
scoring_elements 0.06341
published_at 2026-05-11T12:55:00Z
9
value 0.00022
scoring_system epss
scoring_elements 0.06326
published_at 2026-05-09T12:55:00Z
10
value 0.00039
scoring_system epss
scoring_elements 0.1188
published_at 2026-04-04T12:55:00Z
11
value 0.00039
scoring_system epss
scoring_elements 0.11666
published_at 2026-04-07T12:55:00Z
12
value 0.00051
scoring_system epss
scoring_elements 0.15979
published_at 2026-04-08T12:55:00Z
13
value 0.00051
scoring_system epss
scoring_elements 0.16042
published_at 2026-04-09T12:55:00Z
14
value 0.00051
scoring_system epss
scoring_elements 0.16019
published_at 2026-04-11T12:55:00Z
15
value 0.00051
scoring_system epss
scoring_elements 0.15981
published_at 2026-04-12T12:55:00Z
16
value 0.00051
scoring_system epss
scoring_elements 0.15912
published_at 2026-04-13T12:55:00Z
17
value 0.00051
scoring_system epss
scoring_elements 0.15838
published_at 2026-04-16T12:55:00Z
18
value 0.00063
scoring_system epss
scoring_elements 0.19615
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34230
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
4
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
5
value HIGH
scoring_system generic_textual
scoring_elements
6
value MODERATE
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:56:03Z/
url https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34230.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34230.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34230
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34230
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454493
reference_id 2454493
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454493
9
reference_url https://github.com/advisories/GHSA-v569-hp3g-36wr
reference_id GHSA-v569-hp3g-36wr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v569-hp3g-36wr
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34230, GHSA-v569-hp3g-36wr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p3dk-p1gb-kkem
16
url VCID-pbu7-4hdm-s3a6
vulnerability_id VCID-pbu7-4hdm-s3a6
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34830.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34830.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34830
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.08773
published_at 2026-04-07T12:55:00Z
1
value 0.00031
scoring_system epss
scoring_elements 0.08839
published_at 2026-04-04T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12341
published_at 2026-04-08T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12223
published_at 2026-04-16T12:55:00Z
4
value 0.00041
scoring_system epss
scoring_elements 0.12323
published_at 2026-04-13T12:55:00Z
5
value 0.00041
scoring_system epss
scoring_elements 0.12361
published_at 2026-04-12T12:55:00Z
6
value 0.00041
scoring_system epss
scoring_elements 0.12399
published_at 2026-04-11T12:55:00Z
7
value 0.00041
scoring_system epss
scoring_elements 0.12391
published_at 2026-04-09T12:55:00Z
8
value 0.00043
scoring_system epss
scoring_elements 0.13017
published_at 2026-04-21T12:55:00Z
9
value 0.00043
scoring_system epss
scoring_elements 0.12919
published_at 2026-04-18T12:55:00Z
10
value 0.00043
scoring_system epss
scoring_elements 0.129
published_at 2026-04-29T12:55:00Z
11
value 0.00043
scoring_system epss
scoring_elements 0.13038
published_at 2026-04-24T12:55:00Z
12
value 0.00043
scoring_system epss
scoring_elements 0.13006
published_at 2026-04-26T12:55:00Z
13
value 0.00047
scoring_system epss
scoring_elements 0.14452
published_at 2026-05-14T12:55:00Z
14
value 0.00047
scoring_system epss
scoring_elements 0.14101
published_at 2026-05-05T12:55:00Z
15
value 0.00047
scoring_system epss
scoring_elements 0.14253
published_at 2026-05-07T12:55:00Z
16
value 0.00047
scoring_system epss
scoring_elements 0.14342
published_at 2026-05-09T12:55:00Z
17
value 0.00047
scoring_system epss
scoring_elements 0.14328
published_at 2026-05-11T12:55:00Z
18
value 0.00047
scoring_system epss
scoring_elements 0.14369
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34830
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34830
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34830
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34830.yml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34830.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34830
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34830
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454510
reference_id 2454510
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454510
8
reference_url https://github.com/advisories/GHSA-qv7j-4883-hwh7
reference_id GHSA-qv7j-4883-hwh7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qv7j-4883-hwh7
9
reference_url https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
reference_id GHSA-qv7j-4883-hwh7
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements
1
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:59:36Z/
url https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-34830, GHSA-qv7j-4883-hwh7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pbu7-4hdm-s3a6
17
url VCID-s971-gkdg-jkhc
vulnerability_id VCID-s971-gkdg-jkhc
summary 
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61919
reference_id
reference_type
scores
0
value 0.00221
scoring_system epss
scoring_elements 0.44748
published_at 2026-04-08T12:55:00Z
1
value 0.00221
scoring_system epss
scoring_elements 0.44632
published_at 2026-04-24T12:55:00Z
2
value 0.00221
scoring_system epss
scoring_elements 0.44713
published_at 2026-04-21T12:55:00Z
3
value 0.00221
scoring_system epss
scoring_elements 0.44784
published_at 2026-04-18T12:55:00Z
4
value 0.00221
scoring_system epss
scoring_elements 0.44791
published_at 2026-04-16T12:55:00Z
5
value 0.00221
scoring_system epss
scoring_elements 0.44736
published_at 2026-04-02T12:55:00Z
6
value 0.00221
scoring_system epss
scoring_elements 0.44737
published_at 2026-04-13T12:55:00Z
7
value 0.00221
scoring_system epss
scoring_elements 0.44735
published_at 2026-04-12T12:55:00Z
8
value 0.00221
scoring_system epss
scoring_elements 0.44767
published_at 2026-04-11T12:55:00Z
9
value 0.00221
scoring_system epss
scoring_elements 0.44756
published_at 2026-04-04T12:55:00Z
10
value 0.00221
scoring_system epss
scoring_elements 0.44695
published_at 2026-04-07T12:55:00Z
11
value 0.00221
scoring_system epss
scoring_elements 0.4475
published_at 2026-04-09T12:55:00Z
12
value 0.00221
scoring_system epss
scoring_elements 0.44439
published_at 2026-05-05T12:55:00Z
13
value 0.00221
scoring_system epss
scoring_elements 0.44561
published_at 2026-04-29T12:55:00Z
14
value 0.00221
scoring_system epss
scoring_elements 0.44639
published_at 2026-04-26T12:55:00Z
15
value 0.00295
scoring_system epss
scoring_elements 0.52799
published_at 2026-05-07T12:55:00Z
16
value 0.00295
scoring_system epss
scoring_elements 0.52836
published_at 2026-05-12T12:55:00Z
17
value 0.00295
scoring_system epss
scoring_elements 0.5281
published_at 2026-05-11T12:55:00Z
18
value 0.00295
scoring_system epss
scoring_elements 0.52843
published_at 2026-05-09T12:55:00Z
19
value 0.00295
scoring_system epss
scoring_elements 0.5291
published_at 2026-05-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61919
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
6
reference_url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
7
reference_url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
reference_id 1117856
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
reference_id 2403180
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
reference_id CVE-2025-61919
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
reference_id CVE-2025-61919.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
12
reference_url https://github.com/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6xw4-3v39-52mm
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
19
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
20
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
21
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
22
reference_url https://access.redhat.com/errata/RHSA-2025:19832
reference_id RHSA-2025:19832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19832
23
reference_url https://access.redhat.com/errata/RHSA-2025:19855
reference_id RHSA-2025:19855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19855
24
reference_url https://access.redhat.com/errata/RHSA-2025:19856
reference_id RHSA-2025:19856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19856
25
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
26
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
27
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
28
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
29
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@2.2.20
purl pkg:gem/rack@2.2.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-j34j-bgfd-8fez
6
vulnerability VCID-jg77-mm5c-gydu
7
vulnerability VCID-m98a-mcyb-c7fm
8
vulnerability VCID-metf-cghw-p3b5
9
vulnerability VCID-p3dk-p1gb-kkem
10
vulnerability VCID-pbu7-4hdm-s3a6
11
vulnerability VCID-skxv-7he3-xqgc
12
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20
1
url pkg:gem/rack@3.0.0.beta1
purl pkg:gem/rack@3.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-7p12-ejdu-uqgy
5
vulnerability VCID-7wvj-9h3p-23am
6
vulnerability VCID-9rpp-9xss-duf6
7
vulnerability VCID-arac-j5h5-zkcu
8
vulnerability VCID-azu5-jcmd-3ufx
9
vulnerability VCID-c21j-snf1-d3cb
10
vulnerability VCID-c5sc-7qnn-mkb9
11
vulnerability VCID-d58r-22kr-9bct
12
vulnerability VCID-dh75-6jyw-1ke2
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-j34j-bgfd-8fez
15
vulnerability VCID-jg77-mm5c-gydu
16
vulnerability VCID-m98a-mcyb-c7fm
17
vulnerability VCID-metf-cghw-p3b5
18
vulnerability VCID-npag-sz7d-v7b6
19
vulnerability VCID-p3dk-p1gb-kkem
20
vulnerability VCID-pbu7-4hdm-s3a6
21
vulnerability VCID-s971-gkdg-jkhc
22
vulnerability VCID-skxv-7he3-xqgc
23
vulnerability VCID-vkrw-y1j6-6fe7
24
vulnerability VCID-wvs1-dhwp-ebat
25
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1
2
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-dh75-6jyw-1ke2
6
vulnerability VCID-j34j-bgfd-8fez
7
vulnerability VCID-jg77-mm5c-gydu
8
vulnerability VCID-m98a-mcyb-c7fm
9
vulnerability VCID-metf-cghw-p3b5
10
vulnerability VCID-p3dk-p1gb-kkem
11
vulnerability VCID-pbu7-4hdm-s3a6
12
vulnerability VCID-skxv-7he3-xqgc
13
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
3
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-dh75-6jyw-1ke2
6
vulnerability VCID-j34j-bgfd-8fez
7
vulnerability VCID-jg77-mm5c-gydu
8
vulnerability VCID-m98a-mcyb-c7fm
9
vulnerability VCID-metf-cghw-p3b5
10
vulnerability VCID-p3dk-p1gb-kkem
11
vulnerability VCID-pbu7-4hdm-s3a6
12
vulnerability VCID-pnz8-yes1-pfc7
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61919, GHSA-6xw4-3v39-52mm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s971-gkdg-jkhc
18
url VCID-skxv-7he3-xqgc
vulnerability_id VCID-skxv-7he3-xqgc
summary 
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
## Summary

`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.

This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.

## Details

`Rack::Directory` renders directory entries using an HTML row template similar to:

```html
<a href='%s'>%s</a>
```

The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:

```html
<a href='javascript:alert(1)'>javascript:alert(1)</a>
```

Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.

## Impact

If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.

When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).

## Mitigation

* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).
* Avoid exposing user-controlled directories via `Rack::Directory`.
* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.
* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.

HackerOne profile:
https://hackerone.com/thesmartshadow

GitHub account owner:
Ali Firas (@thesmartshadow)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25500
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.0597
published_at 2026-04-26T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.05935
published_at 2026-04-24T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.05903
published_at 2026-04-21T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.05759
published_at 2026-04-18T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05751
published_at 2026-04-16T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05787
published_at 2026-04-13T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.05793
published_at 2026-04-12T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.05801
published_at 2026-04-11T12:55:00Z
8
value 0.00021
scoring_system epss
scoring_elements 0.05822
published_at 2026-04-09T12:55:00Z
9
value 0.00021
scoring_system epss
scoring_elements 0.05797
published_at 2026-04-08T12:55:00Z
10
value 0.00021
scoring_system epss
scoring_elements 0.05758
published_at 2026-04-07T12:55:00Z
11
value 0.00021
scoring_system epss
scoring_elements 0.05724
published_at 2026-04-02T12:55:00Z
12
value 0.00021
scoring_system epss
scoring_elements 0.05764
published_at 2026-04-04T12:55:00Z
13
value 0.00025
scoring_system epss
scoring_elements 0.07199
published_at 2026-05-14T12:55:00Z
14
value 0.00025
scoring_system epss
scoring_elements 0.06915
published_at 2026-04-29T12:55:00Z
15
value 0.00025
scoring_system epss
scoring_elements 0.06938
published_at 2026-05-05T12:55:00Z
16
value 0.00025
scoring_system epss
scoring_elements 0.07087
published_at 2026-05-07T12:55:00Z
17
value 0.00025
scoring_system epss
scoring_elements 0.07176
published_at 2026-05-09T12:55:00Z
18
value 0.00025
scoring_system epss
scoring_elements 0.07158
published_at 2026-05-11T12:55:00Z
19
value 0.00025
scoring_system epss
scoring_elements 0.07171
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25500
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/
url https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/
url https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25500
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25500
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
reference_id 1128480
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440738
reference_id 2440738
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440738
11
reference_url https://github.com/advisories/GHSA-whrj-4476-wvmp
reference_id GHSA-whrj-4476-wvmp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-whrj-4476-wvmp
12
reference_url https://usn.ubuntu.com/8066-1/
reference_id USN-8066-1
reference_type
scores
url https://usn.ubuntu.com/8066-1/
fixed_packages
0
url pkg:gem/rack@2.2.22
purl pkg:gem/rack@2.2.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-j34j-bgfd-8fez
5
vulnerability VCID-jg77-mm5c-gydu
6
vulnerability VCID-m98a-mcyb-c7fm
7
vulnerability VCID-metf-cghw-p3b5
8
vulnerability VCID-p3dk-p1gb-kkem
9
vulnerability VCID-pbu7-4hdm-s3a6
10
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22
1
url pkg:gem/rack@3.1.20
purl pkg:gem/rack@3.1.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-dh75-6jyw-1ke2
5
vulnerability VCID-j34j-bgfd-8fez
6
vulnerability VCID-jg77-mm5c-gydu
7
vulnerability VCID-m98a-mcyb-c7fm
8
vulnerability VCID-metf-cghw-p3b5
9
vulnerability VCID-p3dk-p1gb-kkem
10
vulnerability VCID-pbu7-4hdm-s3a6
11
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20
2
url pkg:gem/rack@3.2.5
purl pkg:gem/rack@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2p73-rc9t-rudb
2
vulnerability VCID-2qba-a6bp-ryak
3
vulnerability VCID-5twm-pqc2-xyfn
4
vulnerability VCID-dh75-6jyw-1ke2
5
vulnerability VCID-j34j-bgfd-8fez
6
vulnerability VCID-jg77-mm5c-gydu
7
vulnerability VCID-m98a-mcyb-c7fm
8
vulnerability VCID-metf-cghw-p3b5
9
vulnerability VCID-p3dk-p1gb-kkem
10
vulnerability VCID-pbu7-4hdm-s3a6
11
vulnerability VCID-pnz8-yes1-pfc7
12
vulnerability VCID-wvs1-dhwp-ebat
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5
aliases CVE-2026-25500, GHSA-whrj-4476-wvmp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-skxv-7he3-xqgc
19
url VCID-wvs1-dhwp-ebat
vulnerability_id VCID-wvs1-dhwp-ebat
summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26961.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26961.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26961
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.0217
published_at 2026-04-29T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02146
published_at 2026-04-26T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02155
published_at 2026-04-24T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02185
published_at 2026-04-21T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02793
published_at 2026-05-09T12:55:00Z
5
value 0.00014
scoring_system epss
scoring_elements 0.02756
published_at 2026-05-07T12:55:00Z
6
value 0.00014
scoring_system epss
scoring_elements 0.0283
published_at 2026-05-14T12:55:00Z
7
value 0.00014
scoring_system epss
scoring_elements 0.0274
published_at 2026-05-05T12:55:00Z
8
value 0.00014
scoring_system epss
scoring_elements 0.028
published_at 2026-05-12T12:55:00Z
9
value 0.00029
scoring_system epss
scoring_elements 0.08165
published_at 2026-04-07T12:55:00Z
10
value 0.00029
scoring_system epss
scoring_elements 0.08219
published_at 2026-04-04T12:55:00Z
11
value 0.00038
scoring_system epss
scoring_elements 0.11236
published_at 2026-04-16T12:55:00Z
12
value 0.00038
scoring_system epss
scoring_elements 0.11376
published_at 2026-04-08T12:55:00Z
13
value 0.00038
scoring_system epss
scoring_elements 0.11434
published_at 2026-04-09T12:55:00Z
14
value 0.00038
scoring_system epss
scoring_elements 0.1144
published_at 2026-04-11T12:55:00Z
15
value 0.00038
scoring_system epss
scoring_elements 0.11407
published_at 2026-04-12T12:55:00Z
16
value 0.00038
scoring_system epss
scoring_elements 0.11377
published_at 2026-04-13T12:55:00Z
17
value 0.0004
scoring_system epss
scoring_elements 0.12015
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26961
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26961
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26961
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements
1
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
3
value LOW
scoring_system cvssv3.1_qr
scoring_elements
4
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
5
value LOW
scoring_system generic_textual
scoring_elements
6
value MODERATE
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:57:50Z/
url https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-26961.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-26961.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26961
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26961
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2454483
reference_id 2454483
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2454483
9
reference_url https://github.com/advisories/GHSA-vgpv-f759-9wx3
reference_id GHSA-vgpv-f759-9wx3
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vgpv-f759-9wx3
10
reference_url https://usn.ubuntu.com/8182-1/
reference_id USN-8182-1
reference_type
scores
url https://usn.ubuntu.com/8182-1/
fixed_packages
0
url pkg:gem/rack@2.2.23
purl pkg:gem/rack@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.23
1
url pkg:gem/rack@3.1.21
purl pkg:gem/rack@3.1.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21
2
url pkg:gem/rack@3.2.6
purl pkg:gem/rack@3.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1j61-5e8x-7fbd
1
vulnerability VCID-2qba-a6bp-ryak
2
vulnerability VCID-5twm-pqc2-xyfn
3
vulnerability VCID-j34j-bgfd-8fez
4
vulnerability VCID-jg77-mm5c-gydu
5
vulnerability VCID-pbu7-4hdm-s3a6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6
aliases CVE-2026-26961, GHSA-vgpv-f759-9wx3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wvs1-dhwp-ebat
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.15