Rails

This hub aggregates every CVE we track for Rails, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Rails.

• CVE-2026-33658Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests6.5Mar 26, 2026
• CVE-2026-33202Rails Active Storage has possible glob injection in its DiskService9.1Mar 23, 2026
• CVE-2026-33195Rails Active Storage has possible Path Traversal in DiskService9.8Mar 23, 2026
• CVE-2026-33176Rails Active Support has a possible DoS vulnerability in its number helpers7.5Mar 23, 2026
• CVE-2026-33174Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests7.5Mar 23, 2026
• CVE-2026-33173Rails Active Storage has possible content type bypass via metadata in direct uploads5.3Mar 23, 2026
• CVE-2026-33170Rails Active Support has a possible XSS vulnerability in SafeBuffer#%6.1Mar 23, 2026
• CVE-2026-33169Rails Active Support has a possible ReDoS vulnerability in number_to_delimited5.3Mar 23, 2026
• CVE-2024-54133Possible Content Security Policy bypass in Action Dispatch4.3Dec 10, 2024
• CVE-2024-47889Action Mailer has possible ReDoS vulnerability in block_format3.7Oct 16, 2024
• CVE-2024-47888Action Text has possible ReDoS vulnerability in plain_text_for_blockquote_node3.7Oct 16, 2024
• CVE-2024-47887Action Controller has possible ReDoS vulnerability in HTTP Token authentication3.7Oct 16, 2024
• CVE-2024-41128Action Dispatch has possible ReDoS vulnerability in query parameter filtering3.7Oct 16, 2024
• CVE-2024-32464ActionText ContentAttachment can Contain Unsanitized HTML6.1Jun 4, 2024
• CVE-2024-28103Action Pack is missing security headers on non-HTML responses5.4Jun 4, 2024