apk package
chainguard/ruby3.2-rails-8.1
pkg:apk/chainguard/ruby3.2-rails-8.1
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33169 | — | < 8.1.3-r0 | 8.1.3-r0 | Mar 23, 2026 | Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the i | ||
| CVE-2026-33167 | — | < 8.1.3-r0 | 8.1.3-r0 | Mar 23, 2026 | Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript i | ||
| CVE-2026-33210 | — | < 8.1.3-r0 | 8.1.3-r0 | Mar 20, 2026 | Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used | ||
| CVE-2026-25500 | — | < 8.1.2-r1 | 8.1.2-r1 | Feb 18, 2026 | Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. | ||
| CVE-2026-22860 | — | < 8.1.2-r1 | 8.1.2-r1 | Feb 18, 2026 | Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root stri |
- CVE-2026-33169Mar 23, 2026affected < 8.1.3-r0fixed 8.1.3-r0
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the i
- CVE-2026-33167Mar 23, 2026affected < 8.1.3-r0fixed 8.1.3-r0
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript i
- CVE-2026-33210Mar 20, 2026affected < 8.1.3-r0fixed 8.1.3-r0
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used
- CVE-2026-25500Feb 18, 2026affected < 8.1.2-r1fixed 8.1.2-r1
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g.
- CVE-2026-22860Feb 18, 2026affected < 8.1.2-r1fixed 8.1.2-r1
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root stri
Page 2 of 2