<![CDATA[RubySec]]>2026-05-23T20:12:48+00:00https://rubysec.com/Jekyll<![CDATA[CVE-2026-44837 (view_component): view_component - System Test Entry Point Path Check Allows Sibling Directory Escape]]>https://rubysec.com/advisories/CVE-2026-448372026-05-08T00:00:00+00:00<![CDATA[CVE-2026-44836 (view_component): view_component - Preview Route Can Dispatch Inherited Helper Methods']]>https://rubysec.com/advisories/CVE-2026-448362026-05-08T00:00:00+00:00<![CDATA[CVE-2026-40295 (devise): Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler]]>https://rubysec.com/advisories/CVE-2026-402952026-05-08T00:00:00+00:00<![CDATA[CVE-2026-44511 (katalyst-koi): Session cookies can be replayed after user logout]]>https://rubysec.com/advisories/CVE-2026-445112026-05-07T00:00:00+00:00<![CDATA[CVE-2026-44312 (css_parser): Improper Certificate Validation allows MITM injection of remote CSS content]]>https://rubysec.com/advisories/CVE-2026-443122026-05-07T00:00:00+00:00<![CDATA[CVE-2025-67202 (sidekiq-cron): Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL]]>https://rubysec.com/advisories/CVE-2025-672022026-05-07T00:00:00+00:00<![CDATA[GHSA-v2fc-qm4h-8hqv (nokogiri): Nokogiri XSLT transform has a memory leak]]>https://rubysec.com/advisories/GHSA-v2fc-qm4h-8hqv2026-05-06T00:00:00+00:00= 1.19.3`.
Users may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to `Nokogiri::XSLT::Stylesheet#transform`.
## Severity
The Nokogiri maintainers have evaluated this as **Moderate Severity**, CVSS 5.3.
Each leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.
Applications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.
## Resources
- [CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)
## Credit
This vulnerability was responsibly reported by @Captainjack-kor.]]><![CDATA[GHSA-c4rq-3m3g-8wgx (nokogiri): Nokogiri CSS selector tokenizer has regular expression backtracking]]>https://rubysec.com/advisories/GHSA-c4rq-3m3g-8wgx2026-05-06T00:00:00+00:00= 1.19.3`.
If users are unable to upgrade, two options are available:
- Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.
- Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.
## Severity
The Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).
An attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.
## Resources
- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)
## Credit
Vector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.]]><![CDATA[GHSA-3h96-34p3-xm76 (graphql): GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens]]>https://rubysec.com/advisories/GHSA-3h96-34p3-xm762026-05-05T00:00:00+00:00<![CDATA[CVE-2026-42258 (net-imap): net-imap vulnerable to command Injection via unvalidated Symbol inputs]]>https://rubysec.com/advisories/CVE-2026-422582026-05-04T00:00:00+00:00<![CDATA[CVE-2026-42257 (net-imap): net-imap vulnerable to command Injection via "raw" arguments to multiple commands]]>https://rubysec.com/advisories/CVE-2026-422572026-05-04T00:00:00+00:00<![CDATA[CVE-2026-42256 (net-imap): net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication]]>https://rubysec.com/advisories/CVE-2026-422562026-05-04T00:00:00+00:00 A hostile server can perform a computational denial-of-service attack on
> clients by sending a big iteration count value. In order to defend against
> that, a client implementation can pick a maximum iteration count that it is
> willing to use and reject any values that exceed that threshold (in such
> cases, the client, of course, has to fail the authentication).
### Impact
During SCRAM authentication to a hostile server, the entire Ruby VM will be
locked for the duration of the computation. Depending on hardware
capabilities and OpenSSL version, this may take many minutes.
`OpenSSL::KDF.pbkdf2_hmac` is a blocking C function, so `Timeout` cannot be
used to guard against this. And it retains the Global VM lock, so other ruby
threads will also be unable to run.
### Mitigation
* Upgrade to a patched version of `net-imap` that adds the `max_iterations`
option to the `SASL-*` authenticators, and call `Net::IMAP#authenticate`
with a `max_iterations` keyword argument.
**NOTE:** The default `max_iterations` is `2³¹ - 1`, the maximum signed 32
bit integer, the maximum allowed by OpenSSL.
_To prevent a denial of service attack,_ this must be set to a safe value,
depending on hardware and version of OpenSSL. _It is the user's
responsibility_ to enforce minimum and maximum iteration counts that are
appropriate for their security context.
* Alternatively, avoid `SCRAM-*` mechanisms when authenticating to untrusted
servers.]]><![CDATA[CVE-2026-42246 (net-imap): net-imap vulnerable to STARTTLS stripping via invalid response timing]]>https://rubysec.com/advisories/CVE-2026-422462026-05-04T00:00:00+00:00<![CDATA[CVE-2026-42245 (net-imap): net-imap has quadratic complexity when reading response literals]]>https://rubysec.com/advisories/CVE-2026-422452026-05-04T00:00:00+00:00<![CDATA[CVE-2026-42205 (avo): Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources]]>https://rubysec.com/advisories/CVE-2026-422052026-04-24T00:00:00+00:00<![CDATA[GHSA-2wvh-87g2-89hr (openc3): OpenC3 COSMOS - Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool]]>https://rubysec.com/advisories/GHSA-2wvh-87g2-89hr2026-04-23T00:00:00+00:00<![CDATA[CVE-2026-42087 (openc3): OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database]]>https://rubysec.com/advisories/CVE-2026-420872026-04-23T00:00:00+00:00<![CDATA[CVE-2026-42086 (openc3): OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender]]>https://rubysec.com/advisories/CVE-2026-420862026-04-22T00:00:00+00:00<![CDATA[CVE-2026-42085 (openc3): OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames]]>https://rubysec.com/advisories/CVE-2026-420852026-04-22T00:00:00+00:00<![CDATA[CVE-2026-42084 (openc3): OpenC3 COSMOS - Hijacked session token can be used to reset password for persistence]]>https://rubysec.com/advisories/CVE-2026-420842026-04-22T00:00:00+00:00