VulnerableCode Vulnerability Details - VCID-fqcm-4af1-e3c1

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-fqcm-4af1-e3c1

Essentials
Severities (12)
References (14)
Severity details (11)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-fqcm-4af1-e3c1
Aliases	CVE-2006-4111 GHSA-rvpq-5xqx-pfpp
Summary	Ruby on Rails vulnerable to code injection Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	HIGH	http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
epss	0.03984	https://api.first.org/data/v1/epss?cve=CVE-2006-4111
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-rvpq-5xqx-pfpp
generic_textual	HIGH	https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md
generic_textual	HIGH	https://github.com/rails/rails
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2006-4111
generic_textual	HIGH	https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
generic_textual	HIGH	https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
generic_textual	HIGH	http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
generic_textual	HIGH	http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
generic_textual	HIGH	http://www.novell.com/linux/security/advisories/2006_21_sr.html

Reference id	Reference type	URL
		http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
		https://api.first.org/data/v1/epss?cve=CVE-2006-4111
		https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md
		https://github.com/rails/rails
		https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
		https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
		http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
		http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
		http://www.novell.com/linux/security/advisories/2006_21_sr.html
382255		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
CVE-2006-4111		https://nvd.nist.gov/vuln/detail/CVE-2006-4111
CVE-2006-4111.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml
GHSA-rvpq-5xqx-pfpp		https://github.com/advisories/GHSA-rvpq-5xqx-pfpp
GLSA-200608-20		https://security.gentoo.org/glsa/200608-20

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.88603
EPSS Score	0.03984
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T20:53:07.355738+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2006-4111.yml	38.6.0