VYPR

Active Storage

by Rubyonrails

Source repositories

CVEs (4)

  • CVE-2026-33202Mar 23, 2026
    risk 0.00cvss epss 0.01

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains…

  • CVE-2026-33195Mar 23, 2026
    risk 0.00cvss epss 0.01

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob…

  • CVE-2026-33174Mar 23, 2026
    risk 0.00cvss epss 0.01

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before…

  • CVE-2026-33173Mar 23, 2026
    risk 0.00cvss epss 0.00

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and…