Moderate severityNVD Advisory· Published Feb 18, 2026· Updated Feb 18, 2026
Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
CVE-2026-25500
Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme (e.g. javascript:alert(1)), the generated index contains an anchor whose href is exactly javascript:alert(1). Clicking the entry executes JavaScript in the browser (demonstrated with alert(1)). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rackRubyGems | < 2.2.22 | 2.2.22 |
rackRubyGems | >= 3.0.0.beta1, < 3.1.20 | 3.1.20 |
rackRubyGems | >= 3.2.0, < 3.2.5 | 3.2.5 |
Affected products
73- osv-coords72 versionspkg:apk/chainguard/gitlab-exporter-18.6pkg:apk/chainguard/gitlab-exporter-18.7pkg:apk/chainguard/gitlab-exporter-18.8pkg:apk/chainguard/gitlab-rails-ce-18.1pkg:apk/chainguard/gitlab-rails-ce-18.8pkg:apk/chainguard/gitlab-rails-ce-18.9pkg:apk/chainguard/gitlab-rails-ce-fips-18.8pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/logstash-8.17pkg:apk/chainguard/logstash-8.17-iamguarded-compatpkg:apk/chainguard/logstash-8.17-with-output-opensearchpkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.1pkg:apk/chainguard/logstash-9.1-bitnami-compatpkg:apk/chainguard/logstash-9.1-iamguarded-compatpkg:apk/chainguard/logstash-9.1-with-output-opensearchpkg:apk/chainguard/logstash-9.2pkg:apk/chainguard/logstash-9.2-iamguarded-compatpkg:apk/chainguard/logstash-9.2-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.3-with-output-opensearchpkg:apk/chainguard/ruby3.2-rack-2.2pkg:apk/chainguard/ruby3.2-rails-7.1pkg:apk/chainguard/ruby3.2-rails-7.2pkg:apk/chainguard/ruby3.2-rails-8.0pkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.3-rack-2.2pkg:apk/chainguard/ruby3.3-rails-7.1pkg:apk/chainguard/ruby3.3-rails-7.2pkg:apk/chainguard/ruby3.3-rails-8.0pkg:apk/chainguard/ruby3.3-rails-8.1pkg:apk/chainguard/ruby3.4-rack-2.2pkg:apk/chainguard/ruby3.4-rails-7.1pkg:apk/chainguard/ruby3.4-rails-7.2pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/chainguard/ruby3.4-rails-8.1pkg:apk/chainguard/ruby4.0-rack-2.2pkg:apk/chainguard/ruby4.0-rails-7.1pkg:apk/chainguard/ruby4.0-rails-7.2pkg:apk/chainguard/ruby4.0-rails-8.0pkg:apk/chainguard/ruby4.0-rails-8.1pkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/logstash-9.1pkg:apk/wolfi/logstash-9.1-bitnami-compatpkg:apk/wolfi/logstash-9.1-iamguarded-compatpkg:apk/wolfi/logstash-9.1-with-output-opensearchpkg:apk/wolfi/logstash-9.2pkg:apk/wolfi/logstash-9.2-iamguarded-compatpkg:apk/wolfi/logstash-9.2-with-output-opensearchpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.3-with-output-opensearchpkg:apk/wolfi/ruby3.2-rack-2.2pkg:apk/wolfi/ruby3.2-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.3-rack-2.2pkg:apk/wolfi/ruby3.3-rails-8.0pkg:apk/wolfi/ruby3.3-rails-8.1pkg:apk/wolfi/ruby3.4-rack-2.2pkg:apk/wolfi/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.4-rails-8.1pkg:apk/wolfi/ruby4.0-rack-2.2pkg:apk/wolfi/ruby4.0-rails-8.1pkg:gem/rackpkg:rpm/opensuse/rubygem-rack-2.2&distro=openSUSE%20Tumbleweed
< 18.6.6-r1+ 71 more
- (no CPE)range: < 18.6.6-r1
- (no CPE)range: < 18.7.4-r1
- (no CPE)range: < 18.8.4-r1
- (no CPE)range: < 18.1.6-r13
- (no CPE)range: < 18.8.7-r0
- (no CPE)range: < 18.9.3-r0
- (no CPE)range: < 18.8.7-r0
- (no CPE)range: < 18.9.3-r0
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 7.1.6-r2
- (no CPE)range: < 7.2.3-r2
- (no CPE)range: < 8.0.4-r2
- (no CPE)range: < 8.1.2-r1
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 7.1.6-r2
- (no CPE)range: < 7.2.3-r2
- (no CPE)range: < 8.0.4-r2
- (no CPE)range: < 8.1.2-r2
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 7.1.6-r2
- (no CPE)range: < 7.2.3-r2
- (no CPE)range: < 8.0.4-r2
- (no CPE)range: < 8.1.2-r1
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 7.1.6-r1
- (no CPE)range: < 7.2.3-r2
- (no CPE)range: < 8.0.4-r1
- (no CPE)range: < 8.1.2-r1
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 8.0.4-r2
- (no CPE)range: < 8.1.2-r1
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 8.0.4-r2
- (no CPE)range: < 8.1.2-r2
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 8.0.4-r2
- (no CPE)range: < 8.1.2-r1
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 8.1.2-r1
- (no CPE)range: < 2.2.22
- (no CPE)range: < 2.2.22-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-whrj-4476-wvmpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25500ghsaADVISORY
- github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40affghsax_refsource_MISCWEB
- github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmpghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.ymlghsaWEB
News mentions
0No linked articles in our index yet.