Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ description: |

The XSS vulnerability was responsibly reported by Hackerone
researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
cvss_v4: 2.1
patched_versions:
- ">= 2.1.18"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/actionmailer/CVE-2024-47889.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ description: |
##Credits

Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
cvss_v4: 6.6
unaffected_versions:
- "< 3.0.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/actionpack/CVE-2024-47887.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ description: |
## Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
cvss_v4: 6.6
unaffected_versions:
- "< 4.0.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/actionpack/CVE-2026-33167.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 1.3
unaffected_versions:
- "< 8.1.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/actiontext/CVE-2024-32464.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ description: |

Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this!
cvss_v3: 6.1
cvss_v4: 5.1
unaffected_versions:
- "< 7.1.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/actiontext/CVE-2024-47888.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ description: |
## Credits

Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
cvss_v4: 6.6
unaffected_versions:
- "< 6.0.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/actionview/CVE-2026-33168.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 2.3
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
Expand Down
1 change: 1 addition & 0 deletions gems/activejob/GHSA-mpwp-4h2m-765c.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ description: |
We also fixed an Active Job bug that allowed String
arguments to be deserialized as if they were Global IDs,
an object injection security vulnerability.
cvss_v4: 6.6
patched_versions:
- ">= 4.2.0.beta2"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/activerecord-jdbc-adapter/GHSA-5qw5-wf2q-f538.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ description: |
using it in SQL queries. This may allow a remote attacker to inject or
manipulate SQL queries in the back-end database, allowing for the
manipulation or disclosure of arbitrary data.
cvss_v4: 8.8
unaffected_versions:
- "< 1.2.6"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/activerecord/CVE-2013-3221.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ description: |
But "Indeed the vector is completely fixed as of Rails 4.2 almost
two years after the original advisory."
cvss_v2: 6.4
cvss_v4: 9.3
patched_versions:
- ">= 4.2.0"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/activerecord/CVE-2025-55193.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ description: |

Thanks to [lio346](https://hackerone.com/lio346) for reporting
this vulnerability.
cvss_v4: 5.3
patched_versions:
- "~> 7.1.5, >= 7.1.5.2"
- "~> 7.2.2, >= 7.2.2.2"
Expand Down
1 change: 1 addition & 0 deletions gems/activestorage/CVE-2025-24293.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ description: |
## Credits

Thank you [lio346](https://hackerone.com/lio346) for reporting this!
cvss_v4: 9.2
unaffected_versions:
- "< 5.20"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/activestorage/CVE-2026-33173.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 5.3
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
Expand Down
1 change: 1 addition & 0 deletions gems/activestorage/CVE-2026-33174.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 6.6
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
Expand Down
1 change: 1 addition & 0 deletions gems/activestorage/CVE-2026-33195.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 8.0
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
Expand Down
1 change: 1 addition & 0 deletions gems/activestorage/CVE-2026-33202.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 6.6
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
Expand Down
1 change: 1 addition & 0 deletions gems/activesupport/CVE-2026-33169.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 6.9
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
Expand Down
1 change: 1 addition & 0 deletions gems/activesupport/CVE-2026-33170.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 5.3
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
Expand Down
1 change: 1 addition & 0 deletions gems/activesupport/CVE-2026-33176.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ description: |

### Releases
The fixed releases are available at the normal locations.
cvss_v4: 6.6
patched_versions:
- "~> 7.2.3, >= 7.2.3.1"
- "~> 8.0.4, >= 8.0.4.1"
Expand Down
1 change: 1 addition & 0 deletions gems/bcrypt/CVE-2026-33306.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ description: |
### Workarounds

Set the cost to something less than 31.
cvss_v4: 4.5
patched_versions:
- ">= 3.1.22"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/bindata/CVE-2021-32823.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,6 @@ description: |
for a CPU-based DoS. In version 2.4.10, bindata improved the creation time of Bits
and Integers.
cvss_v3: 3.7
cvss_v4: 6.3
patched_versions:
- ">= 2.4.10"
1 change: 1 addition & 0 deletions gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ description: |
in `RequestHandler`.

- Fixed in version 1.12.0.
cvss_v4: 2.0
patched_versions:
- ">= 1.12.0"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/camaleon_cms/CVE-2024-46986.yml
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ description: |
[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
cvss_v3: 9.9
cvss_v4: 8.7
unaffected_versions:
- "< 2.8.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/camaleon_cms/CVE-2024-46987.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ description: |
* [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
* [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
cvss_v3: 7.7
cvss_v4: 7.1
patched_versions:
- ">= 2.8.1"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/camaleon_cms/CVE-2024-48652.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ description: |
remote attacker to execute arbitrary code via the content group
name field.
cvss_v3: 4.8
cvss_v4: 4.8
notes: |
Never patched

Expand Down
1 change: 1 addition & 0 deletions gems/camaleon_cms/GHSA-75j2-9gmc-m855.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ description: |
could make sense to use the authentication provided by Ruby on Rails,
so that stolen tokens cannot be used anymore after some time.
cvss_v3: 5.4
cvss_v4: 4.8
unaffected_versions:
- "< 2.8.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ description: |
[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
cvss_v3: 7.2
cvss_v4: 8.6
patched_versions:
- ">= 2.8.1"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/camaleon_cms/GHSA-8fx8-3rg2-79xw.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ description: |
Ruby on Rails, so that stolen tokens cannot be used anymore
after some time.
cvss_v3: 5.4
cvss_v4: 4.8
patched_versions:
- ">= 2.8.1"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ description: |
Ruby on Rails, so that stolen tokens cannot be used anymore
after some time.
cvss_v3: 5.4
cvss_v4: 4.8
patched_versions:
- ">= 2.8.1"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/cgi/CVE-2025-27219.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ description: |
Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability.
cvss_v3: 5.8
cvss_v4: 6.3
patched_versions:
- "~> 0.3.5.1"
- "~> 0.3.7"
Expand Down
1 change: 1 addition & 0 deletions gems/cgi/CVE-2025-27220.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ description: |
Thanks to svalkanov for discovering this issue.
Also thanks to nobu for fixing this vulnerability.
cvss_v3: 4.0
cvss_v4: 6.3
patched_versions:
- "~> 0.3.5.1"
- "~> 0.3.7"
Expand Down
1 change: 1 addition & 0 deletions gems/decidim-admin/CVE-2024-27095.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ description: |

OWASP ASVS v4.0.3-5.1.3
cvss_v3: 5.4
cvss_v4: 6.8
patched_versions:
- "~> 0.27.6"
- ">= 0.28.1"
Expand Down
1 change: 1 addition & 0 deletions gems/decidim-admin/CVE-2024-32034.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ description: |
### References
OWASP ASVS v4.0.3-5.1.3
cvss_v3: 6.8
cvss_v4: 6.0
patched_versions:
- "~> 0.27.7"
- ">= 0.28.2"
Expand Down
1 change: 1 addition & 0 deletions gems/decidim-decidim_awesome/CVE-2024-43415.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ description: |
https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability
https://portswigger.net/web-security/sql-injection
cvss_v3: 9.0
cvss_v4: 8.5
unaffected_versions:
- "< 0.11.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/decidim-meetings/CVE-2024-45594.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ description: |
Partizipationsbüro against Decidim. The security audit was implemented
by the Austrian Institute of Technology.
cvss_v3: 7.7
cvss_v4: 5.1
unaffected_versions:
- "< 0.28.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/decidim/CVE-2024-27090.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ description: |

Disallow access through your web server to the URLs finished with `/embed.html`
cvss_v3: 5.3
cvss_v4: 6.9
patched_versions:
- ">= 0.27.6"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/decidim/CVE-2024-32469.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ description: |
done during April 2024. The security audit was implemented by
[AIT Austrian Institute of Technology GmbH](https://www.ait.ac.at/),
cvss_v3: 7.1
cvss_v4: 6.3
patched_versions:
- "~> 0.27.6"
- ">= 0.28.1"
Expand Down
1 change: 1 addition & 0 deletions gems/decidim/CVE-2024-39910.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ description: |
### References
OWASP ASVS v4.0.3-5.1.3
cvss_v3: 5.4
cvss_v4: 5.9
patched_versions:
- ">= 0.27.7"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/decidim/CVE-2024-41673.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ description: |
[Open Source Politics](https://opensourcepolitics.eu/)
against Decidim done during July 2025.
cvss_v3: 7.1
cvss_v4: 7.1
patched_versions:
- ">= 0.27.8"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/devise/CVE-2026-32700.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ description: |
change, so you might have to implement a workaround similar to
Devise by setting changed_attributes["unconfirmed_email"] = nil as well.
cvss_v3: 5.3
cvss_v4: 6.0
patched_versions:
- ">= 5.0.3"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/doorkeeper-openid_connect/CVE-2026-44476.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ description: |
Upgrade existing applications created with a Dynamic Client registration
to have `confidential: true`
cvss_v3: 6.3
cvss_v4: 6.3
unaffected_versions:
- "< 1.9.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/fat_free_crm/GHSA-9pm8-vwc5-w2hm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ description: |

Disable use of email dropbox.
cvss_v3: 2.1
cvss_v4: 2.1
patched_versions:
- ">= 0.26.0"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/fugit/CVE-2024-43380.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ description: |
In fewer words, making sure those fugit methods are not fed
unvetted input strings.
cvss_v3: 5.3
cvss_v4: 5.3
patched_versions:
- ">= 1.11.1"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/jquery-rails/CVE-2020-7656.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ description: |
allows attackers to execute arbitrary JavaScript in a victim's browser.
cvss_v2: 4.3
cvss_v3: 6.1
cvss_v4: 5.3
patched_versions:
- ">= 2.1.4"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/json/CVE-2026-33210.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ description: |

The issue can be avoided by not using the `allow_duplicate_key: false`
parsing option.
cvss_v4: 8.3
unaffected_versions:
- "< 2.14.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/logstash/CVE-2014-4326.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ description: |
remote attackers to execute arbitrary commands via a crafted
event in (1) `zabbix.rb` or (2) `nagios_nsca.rb` in `outputs/`.
cvss_v2: 7.5
cvss_v4: 8.1
unaffected_versions:
- "< 1.0.14"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/loofah/GHSA-46fp-8f5p-pf2m.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ description: |
## Credit

Responsibly reported by HackOne user `@smlee`.
cvss_v4: 2.7
unaffected_versions:
- "< 2.25.0"
patched_versions:
Expand Down
1 change: 1 addition & 0 deletions gems/mcp/CVE-2026-33946.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ description: |
belonging to the victim. The tool responses can be sensitive
confidential data.
cvss_v3: 8.2
cvss_v4: 8.2
patched_versions:
- ">= 0.9.2"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/measured/GHSA-29g5-m8v7-v564.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ description: |
### Patches

Users should update to the latest version.
cvss_v4: 4.9
patched_versions:
- ">= 3.2.1"
related:
Expand Down
1 change: 1 addition & 0 deletions gems/mpxj/CVE-2024-49771.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ description: |
### References
N/A
cvss_v3: 5.3
cvss_v4: 5.3
unaffected_versions:
- "< 8.3.5"
patched_versions:
Expand Down
Loading