rack

Top products

The 15 most recently published vulnerabilities affecting rack.

• CVE-2026-39324Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization9.8Apr 7, 2026
• CVE-2026-26962Rack: Header injection in multipart requests4.8Apr 2, 2026
• CVE-2026-34835Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.4.8Apr 2, 2026
• CVE-2026-34827Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser7.5Apr 2, 2026
• CVE-2026-32762Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing4.8Apr 2, 2026
• CVE-2026-34830Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx5.9Apr 2, 2026
• CVE-2026-34829Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length7.5Apr 2, 2026
• CVE-2026-34826Rack: Unbounded Range Count in get_byte_ranges Enables DoS5.3Apr 2, 2026
• CVE-2026-34786Rack: Rack::Static header_rules bypass via URL-encoded paths5.3Apr 2, 2026
• CVE-2026-34785Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching7.5Apr 2, 2026
• CVE-2026-34763Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation5.3Apr 2, 2026
• CVE-2026-34831Rack: Content-Length mismatch in Rack::Files error responses4.8Apr 2, 2026
• CVE-2026-26961Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass3.7Apr 2, 2026
• CVE-2026-34230Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header5.3Apr 2, 2026
• CVE-2026-25500Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href5.4Feb 18, 2026