Home/Product/rubyonrails rails
Product

rubyonrails rails

117 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-33658
< 7.2.3.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1
6.5MEDIUM
 CVE-2026-33202
< 7.2.3.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1
9.1CRITICAL
 CVE-2026-33195
< 7.2.3.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1
9.8CRITICAL
 CVE-2026-33176
< 7.2.3.1
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.
7.5HIGH
 CVE-2026-33174
< 7.2.3.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1
7.5HIGH
 CVE-2026-33173
< 7.2.3.1
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1
5.3MEDIUM
 CVE-2026-33170
< 7.2.3.1
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.
6.1MEDIUM
 CVE-2026-33169
< 7.2.3.1
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedCo
5.3MEDIUM
 CVE-2024-32464
>= 7.1.0 and < 7.1.3.4
Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within
6.1MEDIUM
 CVE-2024-28103
>= 6.1.0 and < 6.1.7.8
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Poli
5.4MEDIUM
 CVE-2024-26144
>= 5.2.0 and < 6.1.7.7
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Activ
5.3MEDIUM
 CVE-2024-26143
>= 7.0.0 and < 7.0.8.1
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controlle
6.1MEDIUM
 CVE-2024-26142
>= 7.1.0 and < 7.1.3.1
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header pars
7.5HIGH
 CVE-2023-22797
>= 7.0.0 and < 7.0.4.1
An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to w
6.1MEDIUM
 CVE-2023-22795
< 6.1.7.1
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A speci
7.5HIGH
 CVE-2023-22792
>= 3.0.0 and < 6.0.6.1
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in co
7.5HIGH
 CVE-2022-3704
all versions
A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib
3.5LOW
 CVE-2022-23634
>= 5.0.0 and < 5.2.6.2
Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the r
8.0HIGH
 CVE-2022-23633
>= 5.0.0 and < 5.2.6.2
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be cl
7.4HIGH
 CVE-2021-44528
all versions
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in
6.1MEDIUM
 CVE-2011-1497
< 3.0.6
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
6.1MEDIUM
 CVE-2021-22942
>= 6.0.0 and < 6.0.4.1
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to
6.1MEDIUM
 CVE-2021-22904
< 5.2.4.6
The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Tok
7.5HIGH
 CVE-2021-22903
>= 6.1.1 and < 6.1.3.2
The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in comb
6.1MEDIUM
 CVE-2021-22902
>= 6.0.0 and < 6.0.3.7
The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a
7.5HIGH
 CVE-2021-22885
>= 5.2.0.0 and < 5.2.4.6
A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the redirect_to
7.5HIGH
 CVE-2021-22881
>= 6.0.0 and < 6.0.3.5
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially cr
6.1MEDIUM
 CVE-2021-22880
>= 4.2.0 and < 5.2.4.5
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDo
7.5HIGH
 CVE-2020-8264
>= 6.0.0 and < 6.0.3.4
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an att
6.1MEDIUM
 CVE-2020-8185
>= 6.0.0 and < 6.0.3.2
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails
6.5MEDIUM
 CVE-2020-8166
< 5.2.4.3
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF
4.3MEDIUM
 CVE-2020-8163
< 5.0.1
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the locals
8.8HIGH
 CVE-2020-8167
< 5.2.4.3
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
6.5MEDIUM
 CVE-2020-8165
< 5.2.4.3
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unma
9.8CRITICAL
 CVE-2020-8164
< 5.2.4.3
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply
7.5HIGH
 CVE-2020-8162
< 5.2.4.2
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 a
7.5HIGH
 CVE-2010-3299
all versions
The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.
6.5MEDIUM
 CVE-2019-5420
< 5.2.2.1
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automati
9.8CRITICAL
 CVE-2019-5419
< 4.2.11.1
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially
7.5HIGH
 CVE-2019-5418
>= 3.0.0 and < 4.2.11.1
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially cra
7.5HIGH
 CVE-2018-16477
>= 5.2.0 and < 5.2.1.1
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `cont
6.5MEDIUM
 CVE-2018-16476
>= 4.2.0 and < 4.2.11
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Activ
7.5HIGH
 CVE-2017-17917
<= 5.1.4
SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary
8.1HIGH
 CVE-2017-17916
<= 5.1.4
SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrar
8.1HIGH
 CVE-2016-6317
all versions
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Activ
7.5HIGH
 CVE-2016-6316
all versions
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5
6.1MEDIUM
 CVE-2016-2098
all versions
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arb
7.3HIGH
 CVE-2016-2097
all versions
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers
5.3MEDIUM
 CVE-2016-0753
>= 4.1.0 and < 4.1.14.1
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instan
5.3MEDIUM
 CVE-2016-0752
< 3.2.22.1
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4
7.5HIGH
 CVE-2016-0751
all versions
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1,
7.5HIGH
 CVE-2015-7581
all versions
actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.
7.5HIGH
 CVE-2015-7577
all versions
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4
5.3MEDIUM
 CVE-2015-7576
all versions
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authenticati
3.7LOW
 CVE-2015-3227
all versions
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or
 CVE-2015-3226
all versions
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.
 CVE-2014-7829
all versions
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x befor
 CVE-2014-3916
all versions
The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service
 CVE-2014-7818
all versions
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x befor
 CVE-2014-3514
all versions
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1
 CVE-2014-3483
all versions
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter
 CVE-2014-3482
all versions
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter
 CVE-2014-0130
< 3.2.18
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on R
7.5HIGH
 CVE-2014-0082
all versions
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbol
 CVE-2014-0081
all versions
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before
 CVE-2014-0080
all versions
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on R
 CVE-2013-6417
<= 4.0.1
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider diff
 CVE-2013-6416
<= 4.0.1
Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby
 CVE-2013-6415
<= 4.0.1
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb i
 CVE-2013-6414
<= 4.0.1
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote
 CVE-2013-4491
<= 4.0.1
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization c
 CVE-2013-4389
>= 3.0.0 and < 3.2.15
Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rail
 CVE-2013-3221
all versions
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a datab
 CVE-2013-1857
all versions
The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails b
 CVE-2013-1856
all versions
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.
 CVE-2013-1855
all versions
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rai
 CVE-2013-1854
all versions
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain q
 CVE-2013-0277
all versions
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute a
 CVE-2013-0276
all versions
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the at
 CVE-2013-0333
all versions
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JS
 CVE-2013-0156
>= 3.2.0 and < 3.2.11
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x be
 CVE-2013-0155
>= 3.2.0 and < 3.2.11
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in paramete
 CVE-2012-6497
< 3.2.10
The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method cal
 CVE-2012-6496
all versions
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.
 CVE-2012-3465
all versions
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby
 CVE-2012-3464
all versions
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails bef
 CVE-2012-3463
all versions
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.
 CVE-2012-3424
all versions
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16,
 CVE-2012-2695
all versions
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement
 CVE-2012-2694
all versions
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not
 CVE-2012-2661
all versions
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly imp
 CVE-2012-2660
all versions
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not
 CVE-2012-1099
all versions
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby
 CVE-2012-1098
all versions
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows r
 CVE-2011-4319
all versions
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x bef
 CVE-2011-3187
all versions
The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded
 CVE-2011-3186
all versions
CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote at
 CVE-2011-2932
all versions
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x
 CVE-2011-2931
all versions
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/nod
 CVE-2011-2930
all versions
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_reco
 CVE-2011-2929
all versions
The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3
 CVE-2011-2197
all versions
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.r
 CVE-2011-0449
all versions
actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, d
 CVE-2011-0448
all versions
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easie
 CVE-2011-0447
all versions
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain a
 CVE-2011-0446
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, wh
 CVE-2010-3933
all versions
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary record
 CVE-2008-7248
all versions
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows
 CVE-2009-4214
all versions
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows
 CVE-2009-3086
all versions
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of messag
 CVE-2009-3009
all versions
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inj
 CVE-2008-5189
all versions
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HT
 CVE-2008-4094
all versions
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via
 CVE-2007-6077
all versions
The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only att
 CVE-2007-3227
all versions
Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 al
 CVE-2006-4112
all versions
Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to
 CVE-2006-4111
all versions
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload reques
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin