| CVE-2026-34835 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack::Request accepts invalid Host characters, enabling host allowlist bypass |
| CVE-2026-26961 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass. |
| CVE-2026-34831 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack has Content-Length mismatch in Rack::Files error responses |
| CVE-2026-34830 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect |
| CVE-2026-34826 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges |
| CVE-2026-34786 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack:: Static header_rules bypass via URL-encoded paths |
| CVE-2026-34763 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory |
| CVE-2026-32762 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing |
| CVE-2026-26962 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values |
| CVE-2025-25184 |
medium |
— |
5.5 |
|
|
|
1y ago |
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline character… |
| CVE-2024-26146 |
medium |
— |
5.5 |
|
|
|
2y ago |
RHSA-2024:2953: pcs security update (Moderate) |
| CVE-2024-25126 |
medium |
— |
5.5 |
|
|
|
2y ago |
RHSA-2024:2953: pcs security update (Moderate) |
| CVE-2024-26141 |
medium |
— |
5.5 |
|
|
|
2y ago |
RHSA-2024:2953: pcs security update (Moderate) |
| CVE-2023-27539 |
medium |
— |
5.5 |
|
|
|
3y ago |
RHSA-2023:3082: pcs security and bug fix update (Moderate) |
| CVE-2023-27530 |
medium |
— |
5.5 |
|
|
|
3y ago |
RHSA-2023:3082: pcs security and bug fix update (Moderate) |
| CVE-2013-0263 |
medium |
— |
5.1 |
|
|
|
14y ago |
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privile… |
| CVE-2015-3225 |
medium |
— |
5.0 |
|
|
|
11y ago |
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a… |
| CVE-2013-0183 |
medium |
— |
5.0 |
|
|
|
14y ago |
multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipar… |
| CVE-2011-5036 |
medium |
— |
5.0 |
|
|
|
15y ago |
Rack Gem Subject to Denial of Service via Hash Collisions |
| CVE-2013-0262 |
medium |
— |
4.3 |
|
|
|
14y ago |
rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable… |
| CVE-2013-0184 |
medium |
— |
4.3 |
|
|
|
14y ago |
Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of servic… |
| CVE-2012-6109 |
medium |
— |
4.3 |
|
|
|
14y ago |
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of ser… |
