Medium severity6.1NVD Advisory· Published Feb 16, 2016· Updated May 6, 2026

CVE-2015-7579

Description

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rails-html-sanitizerRubyGems	< 1.0.3	1.0.3

Affected products

Rubyonrails/Html Sanitizer
cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*
Range: <=1.0.2

Patches

49dfc1584c5b

https://github.com/rails/rails-html-sanitizervia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r9c2-cr39-c8g6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-7579ghsaADVISORY
lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.htmlnvdWEB
lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.htmlnvdWEB
lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.htmlnvdWEB
lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.htmlnvdWEB
lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.htmlnvdWEB
www.openwall.com/lists/oss-security/2016/01/25/12nvdWEB
github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3fnvdWEB
groups.google.com/forum/message/rawnvdWEB
web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816ghsaWEB
www.securitytracker.com/id/1034816nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000