VYPR
Moderate severityNVD Advisory· Published Feb 18, 2026· Updated Feb 18, 2026

Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

CVE-2026-25500

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme (e.g. javascript:alert(1)), the generated index contains an anchor whose href is exactly javascript:alert(1). Clicking the entry executes JavaScript in the browser (demonstrated with alert(1)). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rackRubyGems
< 2.2.222.2.22
rackRubyGems
>= 3.0.0.beta1, < 3.1.203.1.20
rackRubyGems
>= 3.2.0, < 3.2.53.2.5

Affected products

73

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.