VYPR

apk package

chainguard/ruby3.4-rails-8.0

pkg:apk/chainguard/ruby3.4-rails-8.0

Vulnerabilities (50)

  • CVE-2026-34826MedApr 2, 2026
    affected < 8.0.5-r2fixed 8.0.5-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte c

  • CVE-2026-34786MedApr 2, 2026
    affected < 8.0.5-r2fixed 8.0.5-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a re

  • CVE-2026-34785HigApr 2, 2026
    affected < 8.0.5-r2fixed 8.0.5-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path

  • CVE-2026-34763MedApr 2, 2026
    affected < 8.0.5-r2fixed 8.0.5-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or .,

  • CVE-2026-34230MedApr 2, 2026
    affected < 8.0.5-r2fixed 8.0.5-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Defl

  • CVE-2026-26961LowApr 2, 2026
    affected < 8.0.5-r2fixed 8.0.5-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack sel

  • CVE-2026-33658MedMar 26, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes d

  • CVE-2026-33202Mar 23, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains

  • CVE-2026-33195Mar 23, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key

  • CVE-2026-33176Mar 23, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands

  • CVE-2026-33174Mar 23, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sendi

  • CVE-2026-33173Mar 23, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `anal

  • CVE-2026-33168LowMar 23, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed

  • CVE-2026-33170Mar 23, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in pl

  • CVE-2026-33169Mar 23, 2026
    affected < 8.0.5-r0fixed 8.0.5-r0

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the i

  • CVE-2026-25500Feb 18, 2026
    affected < 8.0.4-r2fixed 8.0.4-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g.

  • CVE-2026-22860Feb 18, 2026
    affected < 8.0.4-r2fixed 8.0.4-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root stri

  • CVE-2025-61919Oct 10, 2025
    affected < 8.0.3-r2fixed 8.0.3-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large

  • CVE-2025-61780Oct 10, 2025
    affected < 8.0.3-r2fixed 8.0.3-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca

  • CVE-2025-61772Oct 7, 2025
    affected < 8.0.3-r1fixed 8.0.3-r1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin