Activesupport

This hub aggregates every CVE we track for Activesupport, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Activesupport.

• CVE-2026-33176Rails Active Support has a possible DoS vulnerability in its number helpers7.5Mar 23, 2026
• CVE-2026-33170Rails Active Support has a possible XSS vulnerability in SafeBuffer#%6.1Mar 23, 2026
• CVE-2026-33169Rails Active Support has a possible ReDoS vulnerability in number_to_delimited5.3Mar 23, 2026
• CVE-2023-38037ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's ...5.5Jan 9, 2025
• CVE-2023-28120There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.5.3Jan 9, 2025
• CVE-2023-22796A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a s...7.5Feb 9, 2023
• CVE-2020-8165A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore po...9.8Jun 19, 2020
• CVE-2018-3779active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execu...9.8Aug 10, 2018
• CVE-2015-3226Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web sc...4.3Jul 26, 2015
• CVE-2015-3227The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of servi...5.0Jul 26, 2015
• CVE-2013-1856The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is ...5.8Mar 19, 2013
• CVE-2013-0333lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows ...7.5Jan 30, 2013
• CVE-2012-3464Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow ...4.3Aug 10, 2012
• CVE-2012-1098Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors ...4.3Mar 13, 2012
• CVE-2011-2932Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 all...4.3Aug 29, 2011