Know every threat before it ships
200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.
MEDIUM 5.3
CVE-2019-13117
Uninitialized read in Nokogiri gem
MEDIUM 4.7
CVE-2026-44587
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
MEDIUM 6.1
CVE-2024-26143
Rails has possible XSS Vulnerability in Action Controller
MEDIUM 6.5
CVE-2026-44836
view_component: Preview Route Can Dispatch Inherited Helper Methods
MEDIUM 5.9
CVE-2026-44837
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
MEDIUM 6.1
CVE-2018-14042
Bootstrap Cross-site Scripting vulnerability
MEDIUM 5.5
CVE-2024-32887
Sidekiq vulnerable to a Reflected XSS in Queues Web Page
MEDIUM 5.8
CVE-2026-44312
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content
MEDIUM 4.5
CVE-2024-27281
RDoc RCE vulnerability with .rdoc_options
MEDIUM 5.3
CVE-2023-5349
memory leak flaw was found in ruby-magick
MEDIUM 6.1
CVE-2019-8331
Bootstrap Vulnerable to Cross-Site Scripting
MEDIUM 5.4
CVE-2026-4324
Katello: Denial of Service and potential information disclosure via SQL injection
MEDIUM 6.1
CVE-2025-67202
Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL
MEDIUM 6.1
CVE-2026-40295
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
MEDIUM 4.6
CVE-2026-42086
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender
MEDIUM 4.3
CVE-2026-42085
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames
MEDIUM 4.8
CVE-2026-32762
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
MEDIUM 4.8
CVE-2026-34835
Rack::Request accepts invalid Host characters, enabling host allowlist bypass
MEDIUM 4.8
CVE-2026-34831
Rack has Content-Length mismatch in Rack::Files error responses
MEDIUM 4.8
CVE-2026-26962
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
MEDIUM 5.9
CVE-2026-34830
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
MEDIUM 5.3
CVE-2026-26961
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
MEDIUM 5.9
CVE-2026-35201
rdiscount has an Out-of-bounds Read
MEDIUM 5.3
CVE-2026-34763
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
MEDIUM 5.3
CVE-2026-34826
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
MEDIUM 5.3
CVE-2026-34786
Rack:: Static header_rules bypass via URL-encoded paths
MEDIUM 5.3
GHSA-v2fc-qm4h-8hqv
Nokogiri XSLT transform has a memory leak
MEDIUM 6.5
CVE-2026-33658
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
MEDIUM 4.3
CVE-2020-8166
Ability to forge per-form CSRF tokens in Rails
MEDIUM 5.3
GHSA-3h96-34p3-xm76
GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens
MEDIUM 6.5
CVE-2026-1776
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
MEDIUM 5.9
CVE-2015-1828
http vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
MEDIUM 4.2
CVE-2025-32441
Rack session gets restored after deletion
MEDIUM 5.3
CVE-2026-32700
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
MEDIUM 4.3
CVE-2026-33635
iCalendar has ICS injection via unsanitized URI property values
MEDIUM 4.6
GHSA-qmpg-8xg6-ph5q
Trix has a Stored XSS vulnerability through serialized attributes
MEDIUM 6.1
CVE-2017-1002201
Haml vulnerable to cross-site scripting
MEDIUM 4.3
CVE-2021-21288
Server-side request forgery in CarrierWave
MEDIUM 6.8
CVE-2020-26298
Injection/XSS in Redcarpet
MEDIUM 5.8
CVE-2019-16779
In RubyGem excon, interrupted Persistent Connections May Leak Response Data
MEDIUM 4.8
CVE-2020-5267
Cross site scripting vulnerability in ActionView
MEDIUM 4.4
CVE-2020-5216
Limited header injection when using dynamic overrides with user input in RubyGems secure_headers
MEDIUM 4.3
CVE-2020-26247
Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability
MEDIUM 6.5
CVE-2020-5247
HTTP Response Splitting in Puma
MEDIUM 5.3
CVE-2021-43177
Improper one time password handling in devise-two-factor
MEDIUM 5.9
CVE-2021-41186
ReDoS vulnerability in parser_apache2
MEDIUM 6.2
CVE-2021-41263
Rails Multisite secure/signed cookies share secrets between sites in a multi-site application
MEDIUM 6.3
CVE-2021-39197
Older releases of better_errors open to Cross-Site Request Forgery attack
MEDIUM 4.2
CVE-2021-43840
Path traversal when MessageBus::Diagnostics is enabled
MEDIUM 5.3
CVE-2021-43846
CSRF forgery protection bypass in solidus_frontend
MEDIUM 6.7
CVE-2021-43809
Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile.
MEDIUM 4.4
CVE-2020-5217
Directive injection when using dynamic overrides with user input
MEDIUM 6.8
CVE-2020-11077
HTTP Smuggling via Transfer-Encoding Header in Puma
MEDIUM 5.3
CVE-2020-15109
Ability to change order address without triggering address validations in solidus
MEDIUM 5.4
CVE-2020-15169
XSS in Action View
MEDIUM 5.3
CVE-2019-16770
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack
MEDIUM 5.9
CVE-2020-15237
Possible timing attack in derivation_endpoint
MEDIUM 6.4
CVE-2020-11082
Cross-Site Scripting in Kaminari
MEDIUM 6.3
CVE-2019-16782
Possible Information Leak / Session Hijack Vulnerability in Rack
MEDIUM 5.4
CVE-2026-25500
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Ready to move
Start Securing
Free, no credit card | First findings in minutes