| CVE-2026-33195 |
high |
— |
8.0 |
|
|
|
3mo ago |
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the … |
| CVE-2026-33658 |
medium |
6.5 |
6.5 |
|
|
|
2mo ago |
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte … |
| CVE-2026-33173 |
medium |
— |
5.5 |
|
|
|
3mo ago |
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the clien… |
| CVE-2026-33174 |
medium |
— |
5.5 |
|
|
|
3mo ago |
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, th… |
| CVE-2026-33202 |
medium |
— |
5.5 |
|
|
|
3mo ago |
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys dir… |
| CVE-2025-24293 |
unknown |
— |
— |
|
|
|
10mo ago |
# Active Storage allowed transformation methods potentially unsafe
Active Storage attempts to prevent the use of potentially unsafe image
transformation methods and parameters by default.
The … |
| CVE-2024-26144 |
unknown |
— |
— |
|
|
|
2y ago |
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along… |
| CVE-2022-21831 |
unknown |
— |
— |
|
|
|
4y ago |
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments. |
| CVE-2020-8162 |
unknown |
— |
— |
|
|
|
6y ago |
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be m… |
| CVE-2018-16477 |
unknown |
— |
— |
|
|
|
8y ago |
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in w… |
