Skip to content

security gem updates and update to ruby 4.x#26

Open
btihen wants to merge 1 commit into
LAS-IT:mainfrom
btihen:security_updates
Open

security gem updates and update to ruby 4.x#26
btihen wants to merge 1 commit into
LAS-IT:mainfrom
btihen:security_updates

Conversation

@btihen

@btihen btihen commented Jun 12, 2026

Copy link
Copy Markdown
  • ruby 4.x
  • udate gems for security
❯ bundle-audit

Name: actionview
Version: 7.2.3
CVE: CVE-2026-33168
GHSA: GHSA-v55j-83pf-r9cq
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
Title: Rails has a possible XSS vulnerability in its Action View tag helpers
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: activestorage
Version: 7.2.3
CVE: CVE-2026-33173
GHSA: GHSA-qcfx-2mfw-w4cg
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
Title: Rails Active Storage has possible content type bypass via metadata in direct uploads
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: activestorage
Version: 7.2.3
CVE: CVE-2026-33174
GHSA: GHSA-r46p-8f7g-vvvg
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
Title: Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: activestorage
Version: 7.2.3
CVE: CVE-2026-33195
GHSA: GHSA-9xrj-h377-fr87
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
Title: Rails Active Storage has possible Path Traversal in DiskService
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: activestorage
Version: 7.2.3
CVE: CVE-2026-33202
GHSA: GHSA-73f9-jhhh-hr5m
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
Title: Rails Active Storage has possible glob injection in its DiskService
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: activestorage
Version: 7.2.3
CVE: CVE-2026-33658
GHSA: GHSA-p9fm-f462-ggrg
Criticality: Medium
URL: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
Title: Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: activesupport
Version: 7.2.3
CVE: CVE-2026-33169
GHSA: GHSA-cg4j-q9v8-6v38
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
Title: Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: activesupport
Version: 7.2.3
CVE: CVE-2026-33170
GHSA: GHSA-89vf-4333-qx8v
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
Title: Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: activesupport
Version: 7.2.3
CVE: CVE-2026-33176
GHSA: GHSA-2j26-frm8-cmj9
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
Title: Rails Active Support has a possible DoS vulnerability in its number helpers
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: addressable
Version: 2.8.8
CVE: CVE-2026-35611
GHSA: GHSA-h27x-rffw-24p4
Criticality: High
URL: https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4
Title: Addressable has a Regular Expression Denial of Service in Addressable templates
Solution: update to '>= 2.9.0'

Name: erb
Version: 6.0.0
CVE: CVE-2026-41316
GHSA: GHSA-q339-8rmv-2mhv
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-41316
Title: ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
Solution: update to '~> 4.0.3.1', '~> 4.0.4.1', '~> 6.0.1.1', '>= 6.0.4'

Name: json
Version: 2.17.1
CVE: CVE-2026-33210
GHSA: GHSA-3m6g-2423-7cp3
Criticality: Unknown
URL: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
Title: Ruby JSON has a format string injection vulnerability
Solution: update to '~> 2.15.2.1', '~> 2.17.1.2', '>= 2.19.2'

Name: net-imap
Version: 0.5.12
CVE: CVE-2026-42245
GHSA: GHSA-q2mw-fvj9-vvcw
Criticality: Unknown
URL: https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw
Title: net-imap has quadratic complexity when reading response literals
Solution: update to '~> 0.4.24', '~> 0.5.14', '>= 0.6.4'

Name: net-imap
Version: 0.5.12
CVE: CVE-2026-42246
GHSA: GHSA-vcgp-9326-pqcp
Criticality: Unknown
URL: https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp
Title: net-imap vulnerable to STARTTLS stripping via invalid response timing
Solution: update to '~> 0.3.10', '~> 0.4.24', '~> 0.5.14', '>= 0.6.4'

Name: net-imap
Version: 0.5.12
CVE: CVE-2026-42256
GHSA: GHSA-87pf-fpwv-p7m7
Criticality: Unknown
URL: https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7
Title: net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
Solution: update to '~> 0.4.24', '~> 0.5.14', '>= 0.6.4'

Name: net-imap
Version: 0.5.12
CVE: CVE-2026-42257
GHSA: GHSA-hm49-wcqc-g2xg
Criticality: Unknown
URL: https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg
Title: net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Solution: update to '~> 0.4.24', '~> 0.5.14', '>= 0.6.4'

Name: net-imap
Version: 0.5.12
CVE: CVE-2026-42258
GHSA: GHSA-75xq-5h9v-w6px
Criticality: Unknown
URL: https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px
Title: net-imap vulnerable to command Injection via unvalidated Symbol inputs
Solution: update to '~> 0.4.24', '~> 0.5.14', '>= 0.6.4'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-c4rq-3m3g-8wgx
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
Title: Nokogiri CSS selector tokenizer has regular expression backtracking
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-v2fc-qm4h-8hqv
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
Title: Nokogiri XSLT transform has a memory leak
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-wx95-c6cv-8532
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Title: Nokogiri does not check the return value from xmlC14NExecute
Solution: update to '>= 1.19.1'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-c4rq-3m3g-8wgx
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
Title: Nokogiri CSS selector tokenizer has regular expression backtracking
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-v2fc-qm4h-8hqv
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
Title: Nokogiri XSLT transform has a memory leak
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-wx95-c6cv-8532
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Title: Nokogiri does not check the return value from xmlC14NExecute
Solution: update to '>= 1.19.1'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-c4rq-3m3g-8wgx
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
Title: Nokogiri CSS selector tokenizer has regular expression backtracking
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-v2fc-qm4h-8hqv
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
Title: Nokogiri XSLT transform has a memory leak
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-wx95-c6cv-8532
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Title: Nokogiri does not check the return value from xmlC14NExecute
Solution: update to '>= 1.19.1'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-c4rq-3m3g-8wgx
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
Title: Nokogiri CSS selector tokenizer has regular expression backtracking
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-v2fc-qm4h-8hqv
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
Title: Nokogiri XSLT transform has a memory leak
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-wx95-c6cv-8532
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Title: Nokogiri does not check the return value from xmlC14NExecute
Solution: update to '>= 1.19.1'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-c4rq-3m3g-8wgx
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
Title: Nokogiri CSS selector tokenizer has regular expression backtracking
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-v2fc-qm4h-8hqv
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
Title: Nokogiri XSLT transform has a memory leak
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-wx95-c6cv-8532
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Title: Nokogiri does not check the return value from xmlC14NExecute
Solution: update to '>= 1.19.1'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-c4rq-3m3g-8wgx
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
Title: Nokogiri CSS selector tokenizer has regular expression backtracking
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-v2fc-qm4h-8hqv
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
Title: Nokogiri XSLT transform has a memory leak
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-wx95-c6cv-8532
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Title: Nokogiri does not check the return value from xmlC14NExecute
Solution: update to '>= 1.19.1'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-c4rq-3m3g-8wgx
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
Title: Nokogiri CSS selector tokenizer has regular expression backtracking
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-v2fc-qm4h-8hqv
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
Title: Nokogiri XSLT transform has a memory leak
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-wx95-c6cv-8532
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Title: Nokogiri does not check the return value from xmlC14NExecute
Solution: update to '>= 1.19.1'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-c4rq-3m3g-8wgx
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx
Title: Nokogiri CSS selector tokenizer has regular expression backtracking
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-v2fc-qm4h-8hqv
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv
Title: Nokogiri XSLT transform has a memory leak
Solution: update to '>= 1.19.3'

Name: nokogiri
Version: 1.18.10
GHSA: GHSA-wx95-c6cv-8532
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Title: Nokogiri does not check the return value from xmlC14NExecute
Solution: update to '>= 1.19.1'

Name: puma
Version: 7.1.0
CVE: CVE-2026-47736
GHSA: GHSA-qpgp-93vx-g8v8
Criticality: High
URL: https://www.cve.org/CVERecord?id=CVE-2026-47736
Title: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
Solution: update to '~> 7.2.1', '>= 8.0.2'

Name: puma
Version: 7.1.0
CVE: CVE-2026-47737
GHSA: GHSA-2vqw-3mp8-cgmx
Criticality: High
URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-47737
Title: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
Solution: update to '~> 7.2.1', '>= 8.0.2'

Name: rack
Version: 3.2.4
CVE: CVE-2026-22860
GHSA: GHSA-mxw3-3hh2-x2mh
Criticality: High
URL: https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
Title: Rack has a Directory Traversal via Rack:Directory
Solution: update to '~> 2.2.22', '~> 3.1.20', '>= 3.2.5'

Name: rack
Version: 3.2.4
CVE: CVE-2026-25500
GHSA: GHSA-whrj-4476-wvmp
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
Title: Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Solution: update to '~> 2.2.22', '~> 3.1.20', '>= 3.2.5'

Name: rack
Version: 3.2.4
CVE: CVE-2026-26961
GHSA: GHSA-vgpv-f759-9wx3
Criticality: Low
URL: https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
Title: Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-26962
GHSA: GHSA-rx22-g9mx-qrhv
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv
Title: Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
Solution: update to '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-32762
GHSA: GHSA-qfgr-crr9-7r49
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
Title: Rack - Forwarded Header semicolon injection enables Host and Scheme spoofing
Solution: update to '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34230
GHSA: GHSA-v569-hp3g-36wr
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
Title: Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34763
GHSA: GHSA-7mqq-6cf9-v2qp
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
Title: Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34785
GHSA: GHSA-h2jq-g4cq-5ppq
Criticality: High
URL: https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
Title: Rack::Static prefix matching can expose unintended files under the static root
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34786
GHSA: GHSA-q4qf-9j86-f5mh
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
Title: Rack:: Static header_rules bypass via URL-encoded paths
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34826
GHSA: GHSA-x8cg-fq8g-mxfx
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx
Title: Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34827
GHSA: GHSA-v6x5-cg8r-vv6x
Criticality: High
URL: https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x
Title: Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
Solution: update to '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34829
GHSA: GHSA-8vqr-qjwx-82mw
Criticality: High
URL: https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw
Title: Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34830
GHSA: GHSA-qv7j-4883-hwh7
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
Title: Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34831
GHSA: GHSA-q2ww-5357-x388
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
Title: Rack has Content-Length mismatch in Rack::Files error responses
Solution: update to '~> 2.2.23', '~> 3.1.21', '>= 3.2.6'

Name: rack
Version: 3.2.4
CVE: CVE-2026-34835
GHSA: GHSA-g2pf-xv49-m2h5
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5
Title: Rack::Request accepts invalid Host characters, enabling host allowlist bypass
Solution: update to '~> 3.1.21', '>= 3.2.6'

Name: rack-session
Version: 2.1.1
CVE: CVE-2026-39324
GHSA: GHSA-33qg-7wpp-89cq
Criticality: Unknown
URL: https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq
Title: Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Solution: update to '>= 2.1.2'

Vulnerabilities found!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant