Carrierwaveuploader
Products
1- Carrierwave5 CVEsgem
Recent CVEs
5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44587 | 0.00 | — | 0.00 | May 27, 2026 | ### Summary CarrierWave's content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. **Note**: CarrierWave is aware `#content_type_denylist is deprecated for the… | |||
| CVE-2024-29034 | 0.00 | — | 0.00 | Mar 24, 2024 | CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a… | |||
| CVE-2023-49090 | 0.00 | — | 0.01 | Nov 29, 2023 | CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a… | |||
| CVE-2021-21305 | 0.00 | — | 0.13 | Feb 8, 2021 | CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation… | |||
| CVE-2021-21288 | 0.00 | — | 0.01 | Feb 8, 2021 | CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are… |
- CVE-2026-44587May 27, 2026risk 0.00cvss —epss 0.00
### Summary CarrierWave's content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. **Note**: CarrierWave is aware `#content_type_denylist is deprecated for the…
- CVE-2024-29034Mar 24, 2024risk 0.00cvss —epss 0.00
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a…
- CVE-2023-49090Nov 29, 2023risk 0.00cvss —epss 0.01
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a…
- CVE-2021-21305Feb 8, 2021risk 0.00cvss —epss 0.13
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation…
- CVE-2021-21288Feb 8, 2021risk 0.00cvss —epss 0.01
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are…