Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/activesupport@5.1.5.rc1
Typegem
Namespace
Nameactivesupport
Version5.1.5.rc1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version7.2.3.1
Latest_non_vulnerable_version8.1.2.1
Affected_by_vulnerabilities
0
url VCID-7s2b-9sgy-4qb4
vulnerability_id VCID-7s2b-9sgy-4qb4
summary 
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
### Impact
`NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters.
This could produce quadratic time complexity on long digit strings.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json
1
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
2
reference_url https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
3
reference_url https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
4
reference_url https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
5
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.2.3.1
6
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v8.0.4.1
7
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v8.1.2.1
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33169.yml
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33169.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33169
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33169
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450556
reference_id 2450556
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450556
fixed_packages
0
url pkg:gem/activesupport@7.2.3.1
purl pkg:gem/activesupport@7.2.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1
1
url pkg:gem/activesupport@8.0.4.1
purl pkg:gem/activesupport@8.0.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1
2
url pkg:gem/activesupport@8.1.2.1
purl pkg:gem/activesupport@8.1.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1
aliases CVE-2026-33169, GHSA-cg4j-q9v8-6v38
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7s2b-9sgy-4qb4
1
url VCID-bq89-45d8-67a3
vulnerability_id VCID-bq89-45d8-67a3
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22796
reference_id
reference_type
scores
0
value 0.01484
scoring_system epss
scoring_elements 0.81345
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22796
2
reference_url https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8
5
reference_url https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
6
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
7
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
8
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164736
reference_id 2164736
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164736
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22796
reference_id CVE-2023-22796
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22796
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml
reference_id CVE-2023-22796.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml
13
reference_url https://github.com/advisories/GHSA-j6gc-792m-qgm2
reference_id GHSA-j6gc-792m-qgm2
reference_type
scores
url https://github.com/advisories/GHSA-j6gc-792m-qgm2
14
reference_url https://access.redhat.com/errata/RHSA-2023:4341
reference_id RHSA-2023:4341
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:4341
15
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:gem/activesupport@5.2.8
purl pkg:gem/activesupport@5.2.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7s2b-9sgy-4qb4
1
vulnerability VCID-bq89-45d8-67a3
2
vulnerability VCID-upyj-312m-cyhg
3
vulnerability VCID-y8nc-5c1w-c3ed
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@5.2.8
1
url pkg:gem/activesupport@6.1.7.1
purl pkg:gem/activesupport@6.1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7s2b-9sgy-4qb4
1
vulnerability VCID-bq89-45d8-67a3
2
vulnerability VCID-upyj-312m-cyhg
3
vulnerability VCID-y8nc-5c1w-c3ed
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.1.7.1
2
url pkg:gem/activesupport@7.0.4.1
purl pkg:gem/activesupport@7.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7s2b-9sgy-4qb4
1
vulnerability VCID-bq89-45d8-67a3
2
vulnerability VCID-upyj-312m-cyhg
3
vulnerability VCID-y8nc-5c1w-c3ed
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.0.4.1
aliases CVE-2023-22796, GHSA-j6gc-792m-qgm2, GMS-2023-61
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bq89-45d8-67a3
2
url VCID-k5ev-tcr1-3kbz
vulnerability_id VCID-k5ev-tcr1-3kbz
summary 
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

```
data = cache.fetch("demo", raw: true) { untrusted_string }
```

Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds
-----------

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the `raw` argument should be double-checked to ensure that they conform to the expected format.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8165
reference_id
reference_type
scores
0
value 0.90128
scoring_system epss
scoring_elements 0.99605
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8165
4
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
5
reference_url https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
6
reference_url https://hackerone.com/reports/413388
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/413388
7
reference_url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
8
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
9
reference_url https://security.netapp.com/advisory/ntap-20250509-0002
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250509-0002
10
reference_url https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
11
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843072
reference_id 1843072
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843072
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8165
reference_id CVE-2020-8165
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8165
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
reference_id CVE-2020-8165.YML
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
15
reference_url https://github.com/advisories/GHSA-2p68-f74v-9wc6
reference_id GHSA-2p68-f74v-9wc6
reference_type
scores
url https://github.com/advisories/GHSA-2p68-f74v-9wc6
16
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:gem/activesupport@5.2.4.3
purl pkg:gem/activesupport@5.2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7s2b-9sgy-4qb4
1
vulnerability VCID-bq89-45d8-67a3
2
vulnerability VCID-upyj-312m-cyhg
3
vulnerability VCID-y8nc-5c1w-c3ed
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@5.2.4.3
1
url pkg:gem/activesupport@6.0.3.1
purl pkg:gem/activesupport@6.0.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7s2b-9sgy-4qb4
1
vulnerability VCID-bq89-45d8-67a3
2
vulnerability VCID-upyj-312m-cyhg
3
vulnerability VCID-y8nc-5c1w-c3ed
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.0.3.1
aliases CVE-2020-8165, GHSA-2p68-f74v-9wc6
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k5ev-tcr1-3kbz
3
url VCID-upyj-312m-cyhg
vulnerability_id VCID-upyj-312m-cyhg
summary 
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
### Impact
`SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer.
If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments,
the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json
1
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
2
reference_url https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
3
reference_url https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
4
reference_url https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
5
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.2.3.1
6
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v8.0.4.1
7
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v8.1.2.1
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33170.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33170.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33170
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33170
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450543
reference_id 2450543
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450543
fixed_packages
0
url pkg:gem/activesupport@7.2.3.1
purl pkg:gem/activesupport@7.2.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1
1
url pkg:gem/activesupport@8.0.4.1
purl pkg:gem/activesupport@8.0.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1
2
url pkg:gem/activesupport@8.1.2.1
purl pkg:gem/activesupport@8.1.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1
aliases CVE-2026-33170, GHSA-89vf-4333-qx8v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-upyj-312m-cyhg
4
url VCID-y8nc-5c1w-c3ed
vulnerability_id VCID-y8nc-5c1w-c3ed
summary 
Rails Active Support has a possible DoS vulnerability in its number helpers
### Impact
Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`),
which when converted to a string could be expanded into extremely large decimal representations.
This can cause excessive memory allocation and CPU consumption when the expanded number is formatted,
possibly resulting in a DoS vulnerability.

### Releases
The fixed releases are available at the normal locations.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json
1
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
2
reference_url https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
3
reference_url https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
4
reference_url https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
5
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.2.3.1
6
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v8.0.4.1
7
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v8.1.2.1
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33176
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33176
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450551
reference_id 2450551
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450551
13
reference_url https://access.redhat.com/errata/RHSA-2026:14835
reference_id RHSA-2026:14835
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:14835
14
reference_url https://access.redhat.com/errata/RHSA-2026:14873
reference_id RHSA-2026:14873
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:14873
15
reference_url https://access.redhat.com/errata/RHSA-2026:14874
reference_id RHSA-2026:14874
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:14874
fixed_packages
0
url pkg:gem/activesupport@7.2.3.1
purl pkg:gem/activesupport@7.2.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1
1
url pkg:gem/activesupport@8.0.4.1
purl pkg:gem/activesupport@8.0.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1
2
url pkg:gem/activesupport@8.1.2.1
purl pkg:gem/activesupport@8.1.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1
aliases CVE-2026-33176, GHSA-2j26-frm8-cmj9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y8nc-5c1w-c3ed
Fixing_vulnerabilities
Risk_score3.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/activesupport@5.1.5.rc1