Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
78 vulnerabilities found for rack by rack
CVE-2026-34835 (GCVE-0-2026-34835)
Vulnerability from nvd – Published: 2026-04-02 17:09 – Updated: 2026-04-02 17:44
VLAI?
Title
Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
Summary
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.
Severity ?
4.8 (Medium)
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T17:43:54.517566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:44:03.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:09:07.047Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5"
}
],
"source": {
"advisory": "GHSA-g2pf-xv49-m2h5",
"discovery": "UNKNOWN"
},
"title": "Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34835",
"datePublished": "2026-04-02T17:09:07.047Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-02T17:44:03.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34827 (GCVE-0-2026-34827)
Vulnerability from nvd – Published: 2026-04-02 17:07 – Updated: 2026-04-03 18:13
VLAI?
Title
Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser
Summary
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:42:04.834994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:13:16.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name=\"...\" using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:07:48.279Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x"
}
],
"source": {
"advisory": "GHSA-v6x5-cg8r-vv6x",
"discovery": "UNKNOWN"
},
"title": "Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34827",
"datePublished": "2026-04-02T17:07:48.279Z",
"dateReserved": "2026-03-30T20:52:53.283Z",
"dateUpdated": "2026-04-03T18:13:16.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32762 (GCVE-0-2026-32762)
Vulnerability from nvd – Published: 2026-04-02 17:06 – Updated: 2026-04-02 17:42
VLAI?
Title
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Summary
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
Severity ?
4.8 (Medium)
CWE
- CWE-436 - Interpretation Conflict
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T17:42:32.117443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:42:42.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:06:50.819Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49"
}
],
"source": {
"advisory": "GHSA-qfgr-crr9-7r49",
"discovery": "UNKNOWN"
},
"title": "Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32762",
"datePublished": "2026-04-02T17:06:50.819Z",
"dateReserved": "2026-03-13T18:53:03.533Z",
"dateUpdated": "2026-04-02T17:42:42.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26962 (GCVE-0-2026-26962)
Vulnerability from nvd – Published: 2026-04-02 17:10 – Updated: 2026-04-03 18:13
VLAI?
Title
Rack: Header injection in multipart requests
Summary
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
Severity ?
4.8 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:31:17.511210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:13:06.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:10:17.091Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv"
}
],
"source": {
"advisory": "GHSA-rx22-g9mx-qrhv",
"discovery": "UNKNOWN"
},
"title": "Rack: Header injection in multipart requests"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26962",
"datePublished": "2026-04-02T17:10:17.091Z",
"dateReserved": "2026-02-16T22:20:28.612Z",
"dateUpdated": "2026-04-03T18:13:06.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34831 (GCVE-0-2026-34831)
Vulnerability from nvd – Published: 2026-04-02 16:43 – Updated: 2026-04-03 17:48
VLAI?
Title
Rack: Content-Length mismatch in Rack::Files error responses
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
4.8 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T17:43:52.462237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:48:11.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-135",
"description": "CWE-135: Incorrect Calculation of Multi-Byte String Length",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:43:08.762Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388"
}
],
"source": {
"advisory": "GHSA-q2ww-5357-x388",
"discovery": "UNKNOWN"
},
"title": "Rack: Content-Length mismatch in Rack::Files error responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34831",
"datePublished": "2026-04-02T16:43:08.762Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-03T17:48:11.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34830 (GCVE-0-2026-34830)
Vulnerability from nvd – Published: 2026-04-02 16:47 – Updated: 2026-04-02 18:59
VLAI?
Title
Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.9 (Medium)
CWE
- CWE-625 - Permissive Regular Expression
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:59:36.006369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:59:46.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-625",
"description": "CWE-625: Permissive Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:47:40.490Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7"
}
],
"source": {
"advisory": "GHSA-qv7j-4883-hwh7",
"discovery": "UNKNOWN"
},
"title": "Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34830",
"datePublished": "2026-04-02T16:47:40.490Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-02T18:59:46.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34829 (GCVE-0-2026-34829)
Vulnerability from nvd – Published: 2026-04-02 16:46 – Updated: 2026-04-02 17:41
VLAI?
Title
Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T17:41:27.704414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:41:33.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:46:47.357Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw"
}
],
"source": {
"advisory": "GHSA-8vqr-qjwx-82mw",
"discovery": "UNKNOWN"
},
"title": "Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34829",
"datePublished": "2026-04-02T16:46:47.357Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-02T17:41:33.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34826 (GCVE-0-2026-34826)
Vulnerability from nvd – Published: 2026-04-02 16:45 – Updated: 2026-04-03 18:13
VLAI?
Title
Rack: Unbounded Range Count in get_byte_ranges Enables DoS
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:42:34.710335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:13:27.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:45:53.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx"
}
],
"source": {
"advisory": "GHSA-x8cg-fq8g-mxfx",
"discovery": "UNKNOWN"
},
"title": "Rack: Unbounded Range Count in get_byte_ranges Enables DoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34826",
"datePublished": "2026-04-02T16:45:53.964Z",
"dateReserved": "2026-03-30T20:52:53.283Z",
"dateUpdated": "2026-04-03T18:13:27.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34786 (GCVE-0-2026-34786)
Vulnerability from nvd – Published: 2026-04-02 16:44 – Updated: 2026-04-03 17:38
VLAI?
Title
Rack: Rack::Static header_rules bypass via URL-encoded paths
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.3 (Medium)
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34786",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T17:37:20.498682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:38:11.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:44:59.694Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh"
}
],
"source": {
"advisory": "GHSA-q4qf-9j86-f5mh",
"discovery": "UNKNOWN"
},
"title": "Rack: Rack::Static header_rules bypass via URL-encoded paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34786",
"datePublished": "2026-04-02T16:44:59.694Z",
"dateReserved": "2026-03-30T19:54:55.556Z",
"dateUpdated": "2026-04-03T17:38:11.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34785 (GCVE-0-2026-34785)
Vulnerability from nvd – Published: 2026-04-02 16:44 – Updated: 2026-04-02 18:59
VLAI?
Title
Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:58:57.726888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:59:08.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:44:17.134Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq"
}
],
"source": {
"advisory": "GHSA-h2jq-g4cq-5ppq",
"discovery": "UNKNOWN"
},
"title": "Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34785",
"datePublished": "2026-04-02T16:44:17.134Z",
"dateReserved": "2026-03-30T19:54:55.556Z",
"dateUpdated": "2026-04-02T18:59:08.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34763 (GCVE-0-2026-34763)
Vulnerability from nvd – Published: 2026-04-02 16:43 – Updated: 2026-04-02 17:41
VLAI?
Title
Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.3 (Medium)
CWE
- CWE-625 - Permissive Regular Expression
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T17:41:04.738315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:41:12.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-625",
"description": "CWE-625: Permissive Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:43:42.189Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp"
}
],
"source": {
"advisory": "GHSA-7mqq-6cf9-v2qp",
"discovery": "UNKNOWN"
},
"title": "Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34763",
"datePublished": "2026-04-02T16:43:42.189Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-04-02T17:41:12.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34230 (GCVE-0-2026-34230)
Vulnerability from nvd – Published: 2026-04-02 16:41 – Updated: 2026-04-03 18:19
VLAI?
Title
Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:56:03.220311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:19:00.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:41:21.095Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr"
}
],
"source": {
"advisory": "GHSA-v569-hp3g-36wr",
"discovery": "UNKNOWN"
},
"title": "Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34230",
"datePublished": "2026-04-02T16:41:21.095Z",
"dateReserved": "2026-03-26T16:22:29.034Z",
"dateUpdated": "2026-04-03T18:19:00.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26961 (GCVE-0-2026-26961)
Vulnerability from nvd – Published: 2026-04-02 16:42 – Updated: 2026-04-03 17:58
VLAI?
Title
Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
CWE
- CWE-436 - Interpretation Conflict
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T17:57:50.290547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:58:12.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:42:16.766Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"
}
],
"source": {
"advisory": "GHSA-vgpv-f759-9wx3",
"discovery": "UNKNOWN"
},
"title": "Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26961",
"datePublished": "2026-04-02T16:42:16.766Z",
"dateReserved": "2026-02-16T22:20:28.611Z",
"dateUpdated": "2026-04-03T17:58:12.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25500 (GCVE-0-2026-25500)
Vulnerability from nvd – Published: 2026-02-18 18:59 – Updated: 2026-02-18 19:42
VLAI?
Title
Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T19:42:04.480536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T19:42:35.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.22"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T18:59:31.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp"
},
{
"name": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff"
}
],
"source": {
"advisory": "GHSA-whrj-4476-wvmp",
"discovery": "UNKNOWN"
},
"title": "Rack\u0027s Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25500",
"datePublished": "2026-02-18T18:59:31.964Z",
"dateReserved": "2026-02-02T18:21:42.485Z",
"dateUpdated": "2026-02-18T19:42:35.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22860 (GCVE-0-2026-22860)
Vulnerability from nvd – Published: 2026-02-18 18:45 – Updated: 2026-02-18 19:28
VLAI?
Title
Rack has a Directory Traversal via Rack:Directory
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T19:27:31.243687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T19:28:38.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.22"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`\u2019s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548: Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T18:45:02.095Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh"
},
{
"name": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7"
}
],
"source": {
"advisory": "GHSA-mxw3-3hh2-x2mh",
"discovery": "UNKNOWN"
},
"title": "Rack has a Directory Traversal via Rack:Directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22860",
"datePublished": "2026-02-18T18:45:02.095Z",
"dateReserved": "2026-01-12T16:20:16.746Z",
"dateUpdated": "2026-02-18T19:28:38.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26962 (GCVE-0-2026-26962)
Vulnerability from cvelistv5 – Published: 2026-04-02 17:10 – Updated: 2026-04-03 18:13
VLAI?
Title
Rack: Header injection in multipart requests
Summary
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
Severity ?
4.8 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:31:17.511210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:13:06.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:10:17.091Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv"
}
],
"source": {
"advisory": "GHSA-rx22-g9mx-qrhv",
"discovery": "UNKNOWN"
},
"title": "Rack: Header injection in multipart requests"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26962",
"datePublished": "2026-04-02T17:10:17.091Z",
"dateReserved": "2026-02-16T22:20:28.612Z",
"dateUpdated": "2026-04-03T18:13:06.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34835 (GCVE-0-2026-34835)
Vulnerability from cvelistv5 – Published: 2026-04-02 17:09 – Updated: 2026-04-02 17:44
VLAI?
Title
Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
Summary
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.
Severity ?
4.8 (Medium)
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T17:43:54.517566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:44:03.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:09:07.047Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5"
}
],
"source": {
"advisory": "GHSA-g2pf-xv49-m2h5",
"discovery": "UNKNOWN"
},
"title": "Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34835",
"datePublished": "2026-04-02T17:09:07.047Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-02T17:44:03.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34827 (GCVE-0-2026-34827)
Vulnerability from cvelistv5 – Published: 2026-04-02 17:07 – Updated: 2026-04-03 18:13
VLAI?
Title
Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser
Summary
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:42:04.834994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:13:16.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name=\"...\" using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:07:48.279Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x"
}
],
"source": {
"advisory": "GHSA-v6x5-cg8r-vv6x",
"discovery": "UNKNOWN"
},
"title": "Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34827",
"datePublished": "2026-04-02T17:07:48.279Z",
"dateReserved": "2026-03-30T20:52:53.283Z",
"dateUpdated": "2026-04-03T18:13:16.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32762 (GCVE-0-2026-32762)
Vulnerability from cvelistv5 – Published: 2026-04-02 17:06 – Updated: 2026-04-02 17:42
VLAI?
Title
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Summary
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
Severity ?
4.8 (Medium)
CWE
- CWE-436 - Interpretation Conflict
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T17:42:32.117443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:42:42.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:06:50.819Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49"
}
],
"source": {
"advisory": "GHSA-qfgr-crr9-7r49",
"discovery": "UNKNOWN"
},
"title": "Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32762",
"datePublished": "2026-04-02T17:06:50.819Z",
"dateReserved": "2026-03-13T18:53:03.533Z",
"dateUpdated": "2026-04-02T17:42:42.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34830 (GCVE-0-2026-34830)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:47 – Updated: 2026-04-02 18:59
VLAI?
Title
Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.9 (Medium)
CWE
- CWE-625 - Permissive Regular Expression
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:59:36.006369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:59:46.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-625",
"description": "CWE-625: Permissive Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:47:40.490Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7"
}
],
"source": {
"advisory": "GHSA-qv7j-4883-hwh7",
"discovery": "UNKNOWN"
},
"title": "Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34830",
"datePublished": "2026-04-02T16:47:40.490Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-02T18:59:46.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34829 (GCVE-0-2026-34829)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:46 – Updated: 2026-04-02 17:41
VLAI?
Title
Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T17:41:27.704414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:41:33.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:46:47.357Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw"
}
],
"source": {
"advisory": "GHSA-8vqr-qjwx-82mw",
"discovery": "UNKNOWN"
},
"title": "Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34829",
"datePublished": "2026-04-02T16:46:47.357Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-02T17:41:33.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34826 (GCVE-0-2026-34826)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:45 – Updated: 2026-04-03 18:13
VLAI?
Title
Rack: Unbounded Range Count in get_byte_ranges Enables DoS
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:42:34.710335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:13:27.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:45:53.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx"
}
],
"source": {
"advisory": "GHSA-x8cg-fq8g-mxfx",
"discovery": "UNKNOWN"
},
"title": "Rack: Unbounded Range Count in get_byte_ranges Enables DoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34826",
"datePublished": "2026-04-02T16:45:53.964Z",
"dateReserved": "2026-03-30T20:52:53.283Z",
"dateUpdated": "2026-04-03T18:13:27.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34786 (GCVE-0-2026-34786)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:44 – Updated: 2026-04-03 17:38
VLAI?
Title
Rack: Rack::Static header_rules bypass via URL-encoded paths
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.3 (Medium)
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34786",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T17:37:20.498682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:38:11.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:44:59.694Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh"
}
],
"source": {
"advisory": "GHSA-q4qf-9j86-f5mh",
"discovery": "UNKNOWN"
},
"title": "Rack: Rack::Static header_rules bypass via URL-encoded paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34786",
"datePublished": "2026-04-02T16:44:59.694Z",
"dateReserved": "2026-03-30T19:54:55.556Z",
"dateUpdated": "2026-04-03T17:38:11.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34785 (GCVE-0-2026-34785)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:44 – Updated: 2026-04-02 18:59
VLAI?
Title
Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:58:57.726888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:59:08.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:44:17.134Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq"
}
],
"source": {
"advisory": "GHSA-h2jq-g4cq-5ppq",
"discovery": "UNKNOWN"
},
"title": "Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34785",
"datePublished": "2026-04-02T16:44:17.134Z",
"dateReserved": "2026-03-30T19:54:55.556Z",
"dateUpdated": "2026-04-02T18:59:08.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34763 (GCVE-0-2026-34763)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:43 – Updated: 2026-04-02 17:41
VLAI?
Title
Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.3 (Medium)
CWE
- CWE-625 - Permissive Regular Expression
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T17:41:04.738315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:41:12.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-625",
"description": "CWE-625: Permissive Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:43:42.189Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp"
}
],
"source": {
"advisory": "GHSA-7mqq-6cf9-v2qp",
"discovery": "UNKNOWN"
},
"title": "Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34763",
"datePublished": "2026-04-02T16:43:42.189Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-04-02T17:41:12.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34831 (GCVE-0-2026-34831)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:43 – Updated: 2026-04-03 17:48
VLAI?
Title
Rack: Content-Length mismatch in Rack::Files error responses
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
4.8 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T17:43:52.462237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:48:11.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-135",
"description": "CWE-135: Incorrect Calculation of Multi-Byte String Length",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:43:08.762Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388"
}
],
"source": {
"advisory": "GHSA-q2ww-5357-x388",
"discovery": "UNKNOWN"
},
"title": "Rack: Content-Length mismatch in Rack::Files error responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34831",
"datePublished": "2026-04-02T16:43:08.762Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-03T17:48:11.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26961 (GCVE-0-2026-26961)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:42 – Updated: 2026-04-03 17:58
VLAI?
Title
Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
CWE
- CWE-436 - Interpretation Conflict
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T17:57:50.290547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:58:12.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:42:16.766Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"
}
],
"source": {
"advisory": "GHSA-vgpv-f759-9wx3",
"discovery": "UNKNOWN"
},
"title": "Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26961",
"datePublished": "2026-04-02T16:42:16.766Z",
"dateReserved": "2026-02-16T22:20:28.611Z",
"dateUpdated": "2026-04-03T17:58:12.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34230 (GCVE-0-2026-34230)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:41 – Updated: 2026-04-03 18:19
VLAI?
Title
Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:56:03.220311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:19:00.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:41:21.095Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr"
}
],
"source": {
"advisory": "GHSA-v569-hp3g-36wr",
"discovery": "UNKNOWN"
},
"title": "Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34230",
"datePublished": "2026-04-02T16:41:21.095Z",
"dateReserved": "2026-03-26T16:22:29.034Z",
"dateUpdated": "2026-04-03T18:19:00.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25500 (GCVE-0-2026-25500)
Vulnerability from cvelistv5 – Published: 2026-02-18 18:59 – Updated: 2026-02-18 19:42
VLAI?
Title
Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T19:42:04.480536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T19:42:35.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.22"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T18:59:31.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp"
},
{
"name": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff"
}
],
"source": {
"advisory": "GHSA-whrj-4476-wvmp",
"discovery": "UNKNOWN"
},
"title": "Rack\u0027s Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25500",
"datePublished": "2026-02-18T18:59:31.964Z",
"dateReserved": "2026-02-02T18:21:42.485Z",
"dateUpdated": "2026-02-18T19:42:35.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22860 (GCVE-0-2026-22860)
Vulnerability from cvelistv5 – Published: 2026-02-18 18:45 – Updated: 2026-02-18 19:28
VLAI?
Title
Rack has a Directory Traversal via Rack:Directory
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T19:27:31.243687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T19:28:38.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.22"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`\u2019s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548: Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T18:45:02.095Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh"
},
{
"name": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7"
}
],
"source": {
"advisory": "GHSA-mxw3-3hh2-x2mh",
"discovery": "UNKNOWN"
},
"title": "Rack has a Directory Traversal via Rack:Directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22860",
"datePublished": "2026-02-18T18:45:02.095Z",
"dateReserved": "2026-01-12T16:20:16.746Z",
"dateUpdated": "2026-02-18T19:28:38.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}