RubyGems vulnerabilities | Corgea Advisories

CRITICAL 9.8

RubyGems

CVE-2026-27820

Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption

Apr 16, 2026

CRITICAL 9.8

RubyGems

CVE-2011-10019

Spree has Remote Command Execution vulnerability in search functionality

Aug 13, 2025

CRITICAL 9.8

RubyGems

CVE-2019-11068

Nokogiri vulnerable to libxslt protection mechanism bypass

May 13, 2022

CRITICAL 10.0

RubyGems

CVE-2024-45409

SAML authentication bypass via Incorrect XPath selector

Sep 10, 2024

CRITICAL 9.6

RubyGems

CVE-2026-42087

OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

Apr 23, 2026

CRITICAL 9.8

RubyGems

CVE-2022-32224

Active Record RCE bug with Serialized Columns

Jul 12, 2022

CRITICAL 9.6

RubyGems

GHSA-2wvh-87g2-89hr

OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool

Apr 23, 2026

CRITICAL 9.1

RubyGems

CVE-2026-33286

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Mar 20, 2026

CRITICAL 9.8

RubyGems

CVE-2022-21831

Possible code injection vulnerability in Rails / Active Storage

Mar 8, 2022

CRITICAL 9.8

RubyGems

CVE-2022-25648

Command injection in ruby-git

Apr 20, 2022

CRITICAL 9.8

RubyGems

CVE-2019-13589

paranoid2 gem Code backdoor

Jul 16, 2019

CRITICAL 9.8

RubyGems

CVE-2019-10842

Bootstrap-sass contains code execution backdoor

Apr 4, 2019

CRITICAL 9.8

RubyGems

CVE-2019-14281

datagrid contains code Injection backdoor

Jul 31, 2019

CRITICAL 9.8

RubyGems

CVE-2019-16676

Improper Input Validation in simple_form

Sep 30, 2019

CRITICAL 9.3

RubyGems

CVE-2021-41275

Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness

Nov 18, 2021

CRITICAL 9.3

RubyGems

CVE-2021-41274

Authentication Bypass by CSRF Weakness

Nov 18, 2021

CRITICAL 9.8

RubyGems

CVE-2019-14282

Code backdoor in simple_captcha2

Jul 31, 2019

CRITICAL 9.8

RubyGems

CVE-2019-10780

BibTeX-Ruby vulnerable to OS command injection

Feb 14, 2020

CRITICAL 9.8

RubyGems

CVE-2021-41816

Buffer overrun in CGI.escape_html

Dec 14, 2021

CRITICAL 9.8

RubyGems

CVE-2024-27280

StringIO buffer overread vulnerability

Mar 25, 2024

CRITICAL 9.8

RubyGems

CVE-2022-32511

JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable

Jun 7, 2022

CRITICAL 9.8

RubyGems

CVE-2025-25292

Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)

Mar 12, 2025

CRITICAL 10.0

RubyGems

GHSA-cvp8-5r8g-fhvq

omniauth-saml vulnerable to Improper Verification of Cryptographic Signature

Sep 11, 2024

CRITICAL 9.8

RubyGems

CVE-2025-25291

Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

Mar 12, 2025

CRITICAL 10.0

RubyGems

CVE-2025-68271

openc3-api Vulnerable to Unauthenticated Remote Code Execution

Jan 13, 2026

CRITICAL 9.0

RubyGems

CVE-2025-27407

graphql allows remote code execution when loading a crafted GraphQL schema

Mar 12, 2025

CRITICAL 9.1

RubyGems

CVE-2025-28384

OpenC3 COSMOS Vulnerable to Directory Traversal via /script-api/scripts/ endpoint

Jun 13, 2025

CRITICAL 9.8

RubyGems

CVE-2014-10075

karo Metacharacter Handling Remote Command Execution

May 14, 2022

CRITICAL 9.1

RubyGems

CVE-2025-54887

JWE is missing AES-GCM authentication tag validation in encrypted JWE

Aug 7, 2025

CRITICAL 9.3

RubyGems

GHSA-gpqc-4pp7-5954

Duplicate Advisory: Authentication Bypass by CSRF Weakness

Nov 18, 2021

CRITICAL 9.3

RubyGems

GHSA-6mqr-q86q-6gwr

Duplicate Advisory: Authentication Bypass by CSRF Weakness

Nov 18, 2021

CRITICAL 9.3

RubyGems

GHSA-8xfw-5q82-3652

Duplicate Advisory: Authentication Bypass by CSRF Weakness

Nov 18, 2021

CRITICAL 9.8

RubyGems

CVE-2020-8165

ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

May 26, 2020

CRITICAL 9.8

RubyGems

CVE-2016-7954

Bundler allows attacker to inject arbitrary code via secondary Gem source

May 14, 2022

CRITICAL 9.8

RubyGems

CVE-2022-36231

Code injection in pdf_info

Feb 24, 2023

CRITICAL 9.0

RubyGems

CVE-2025-27590

Oxidized Web RANCID migration page allows unauthenticated user to gain control over Linux user account

Mar 3, 2025

CRITICAL 9.8

RubyGems

CVE-2015-20108

ruby-saml vulnerable to XPath injection

May 27, 2023

CRITICAL 9.8

RubyGems

CVE-2022-33127

Improper handling of double quotes in file name in Diffy in Windows environment

Jun 24, 2022

CRITICAL 9.8

RubyGems

CVE-2017-10906

Fluentd Escape Sequence Injection Vulnerability

May 13, 2022

CRITICAL 9.8

RubyGems

CVE-2021-33575

Remote code execution in ruby-jss

Oct 6, 2021

CRITICAL 9.8

RubyGems

CVE-2018-16395

Ruby Openssl Allows Incorrect Value Comparison

May 13, 2022

CRITICAL 9.3

RubyGems

GHSA-5629-8855-gf4g

Authentication Bypass by CSRF Weakness

Nov 18, 2021

CRITICAL 9.0

RubyGems

CVE-2024-43415

Decidim-Awesome has SQL injection in AdminAccountability

Nov 12, 2024

CRITICAL 9.8

RubyGems

CVE-2019-17383

netaddr before 1.5.3 and 2.0.4 has Incorrect Default Permissions

Oct 14, 2019

CRITICAL 9.8

RubyGems

CVE-2024-42360

Command Injection in sequenceserver

Aug 13, 2024

CRITICAL 9.8

RubyGems

CVE-2012-3503

Katello uses hard coded credential

May 17, 2022

CRITICAL 9.6

RubyGems

CVE-2023-28102

discordrb OS Command Injection vulnerability

Mar 14, 2024

CRITICAL 9.8

RubyGems

CVE-2018-1000076

RubyGems Improper Verification of Cryptographic Signature vulnerability

May 14, 2022

CRITICAL 9.8

RubyGems

CVE-2017-0903

RubyGems vulnerable to Deserialization of Untrusted Data

May 13, 2022

CRITICAL 9.8

RubyGems

CVE-2019-5420

Use of Insufficiently Random Values in Railties Allows Remote Code Execution

Mar 13, 2019

CRITICAL 9.1

RubyGems

CVE-2021-33473

Arbitrary file write in dragonfly

Jun 3, 2022

CRITICAL 9.8

RubyGems

CVE-2018-12026

Phusion Passenger SpawningKit Contains Arbitrary Read/Write Vulnerability

May 14, 2022

CRITICAL 10.0

RubyGems

CVE-2015-7541

colorscore Command Injection vulnerability

Oct 24, 2017

CRITICAL 9.8

RubyGems

CVE-2022-25765

PDFKit vulnerable to Command Injection

Sep 10, 2022

CRITICAL 10.0

RubyGems

CVE-2022-30123

Possible shell escape sequence injection vulnerability in Rack

May 27, 2022

CRITICAL 9.8

RubyGems

CVE-2019-5477

Nokogiri Command Injection Vulnerability

Aug 19, 2019

CRITICAL 9.8

RubyGems

CVE-2014-0156

OS Command Injection in awesome spawn

Jul 1, 2022

CRITICAL 9.8

RubyGems

CVE-2020-14001

Unintended read access in kramdown gem

Aug 7, 2020

CRITICAL 9.8

RubyGems

CVE-2021-28834

Remote code execution in Kramdown

Mar 29, 2021

CRITICAL 9.8

RubyGems

CVE-2019-16377

Consul gem insufficient authentication check - Multiple powers in one controller are not always checked correctly

Sep 27, 2019

Know every threat before it ships

Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption

Spree has Remote Command Execution vulnerability in search functionality

Nokogiri vulnerable to libxslt protection mechanism bypass

SAML authentication bypass via Incorrect XPath selector

OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

Active Record RCE bug with Serialized Columns

OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Possible code injection vulnerability in Rails / Active Storage

Command injection in ruby-git

paranoid2 gem Code backdoor

Bootstrap-sass contains code execution backdoor

datagrid contains code Injection backdoor

Improper Input Validation in simple_form

Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness

Authentication Bypass by CSRF Weakness

Code backdoor in simple_captcha2

BibTeX-Ruby vulnerable to OS command injection

Buffer overrun in CGI.escape_html

StringIO buffer overread vulnerability

JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable

Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)

omniauth-saml vulnerable to Improper Verification of Cryptographic Signature

Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

openc3-api Vulnerable to Unauthenticated Remote Code Execution

graphql allows remote code execution when loading a crafted GraphQL schema

OpenC3 COSMOS Vulnerable to Directory Traversal via /script-api/scripts/ endpoint

karo Metacharacter Handling Remote Command Execution

JWE is missing AES-GCM authentication tag validation in encrypted JWE

Duplicate Advisory: Authentication Bypass by CSRF Weakness

Duplicate Advisory: Authentication Bypass by CSRF Weakness

Duplicate Advisory: Authentication Bypass by CSRF Weakness

ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

Bundler allows attacker to inject arbitrary code via secondary Gem source

Code injection in pdf_info

Oxidized Web RANCID migration page allows unauthenticated user to gain control over Linux user account

ruby-saml vulnerable to XPath injection

Improper handling of double quotes in file name in Diffy in Windows environment

Fluentd Escape Sequence Injection Vulnerability

Remote code execution in ruby-jss

Ruby Openssl Allows Incorrect Value Comparison

Authentication Bypass by CSRF Weakness

Decidim-Awesome has SQL injection in AdminAccountability

netaddr before 1.5.3 and 2.0.4 has Incorrect Default Permissions

Command Injection in sequenceserver

Katello uses hard coded credential

discordrb OS Command Injection vulnerability

RubyGems Improper Verification of Cryptographic Signature vulnerability

RubyGems vulnerable to Deserialization of Untrusted Data

Use of Insufficiently Random Values in Railties Allows Remote Code Execution

Arbitrary file write in dragonfly

Phusion Passenger SpawningKit Contains Arbitrary Read/Write Vulnerability

colorscore Command Injection vulnerability

PDFKit vulnerable to Command Injection

Possible shell escape sequence injection vulnerability in Rack

Nokogiri Command Injection Vulnerability

OS Command Injection in awesome spawn

Unintended read access in kramdown gem

Remote code execution in Kramdown

Consul gem insufficient authentication check - Multiple powers in one controller are not always checked correctly

Start Securing