Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6yr6-a21g-dyf5
Vulnerability ID VCID-6yr6-a21g-dyf5
Aliases CVE-2018-16476
GHSA-q2qw-rmrh-vv42
Summary Deserialization of Untrusted Data A Broken Access Control vulnerability in Active Job
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-502 Deserialization of Untrusted Data
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-284 Improper Access Control
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2019:0600
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:0600
cvssv3 4.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16476.json
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2018-16476
cvssv3 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-q2qw-rmrh-vv42
cvssv3.1 7.5 https://github.com/rails/rails
generic_textual HIGH https://github.com/rails/rails
cvssv3.1 7.5 https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
generic_textual HIGH https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
cvssv3.1 7.5 https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
generic_textual HIGH https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
cvssv3 7.5 https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
cvssv3.1 7.5 https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
generic_textual HIGH https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2018-16476
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2018-16476
cvssv3.1 7.5 https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
generic_textual HIGH https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2019:0600
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16476.json
https://api.first.org/data/v1/epss?cve=CVE-2018-16476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16476
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails
https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
1659223 https://bugzilla.redhat.com/show_bug.cgi?id=1659223
914847 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914847
CVE-2018-16476 https://nvd.nist.gov/vuln/detail/CVE-2018-16476
GHSA-q2qw-rmrh-vv42 https://github.com/advisories/GHSA-q2qw-rmrh-vv42
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2019:0600
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16476.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rails/rails
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-16476
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.73836
EPSS Score 0.00791
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:48:10.059665+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activejob/CVE-2018-16476.yml 38.0.0