Ruby on rails

This hub aggregates every CVE we track for Ruby on rails, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Ruby on rails.

• CVE-2026-33658Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests6.5Mar 26, 2026
• CVE-2026-33202Rails Active Storage has possible glob injection in its DiskService9.1Mar 23, 2026
• CVE-2026-33176Rails Active Support has a possible DoS vulnerability in its number helpers7.5Mar 23, 2026
• CVE-2026-33174Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests7.5Mar 23, 2026
• CVE-2026-33170Rails Active Support has a possible XSS vulnerability in SafeBuffer#%6.1Mar 23, 2026
• CVE-2026-33169Rails Active Support has a possible ReDoS vulnerability in number_to_delimited5.3Mar 23, 2026
• CVE-2024-26144Possible Sensitive Session Information Leak in Active Storage5.3Feb 27, 2024
• CVE-2024-26143Rails Possible XSS Vulnerability in Action Controller6.1Feb 27, 2024
• CVE-2023-22792A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can caus...7.5Feb 9, 2023
• CVE-2023-22794A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hint...8.8Feb 9, 2023
• CVE-2023-22797An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully...6.1Feb 9, 2023
• CVE-2023-22795A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expres...7.5Feb 9, 2023
• CVE-2022-3704Ruby on Rails _table.html.erb cross site scripting3.5Oct 26, 2022
• CVE-2022-27777A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.6.1May 26, 2022
• CVE-2022-21831A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.9.8May 26, 2022