Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Rails — Vulnerabilities & Security Advisories 45

Browse all 45 CVE security advisories affecting Rails. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Rails is a widely adopted web application framework designed to accelerate development through convention over configuration, primarily powering dynamic websites and APIs. Its extensive ecosystem has historically exposed it to diverse security challenges, with recorded vulnerabilities frequently involving remote code execution, cross-site scripting, and SQL injection. Privilege escalation and mass assignment issues also appear commonly due to the framework’s automatic parameter binding mechanisms. While recent versions have significantly hardened default configurations, legacy applications remain susceptible to injection attacks and insecure deserialization. Notable incidents often stem from misconfigured generators or outdated dependencies rather than core framework flaws. The sheer volume of forty-five CVEs reflects its long market presence and complexity. Developers must prioritize regular dependency updates and strict input validation to mitigate risks, ensuring that the framework’s convenience does not compromise application integrity against evolving threat landscapes.

Top products by Rails: rails rails-html-sanitizer activestorage ActiveSupport https://github.com/rails/rails actionview Action Pack Kredis JSON Rack rails-ujs actionpack
CVE IDTitleCVSSSeverityPublished
CVE-2026-33658 Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests — activestorageCWE-770 7.5AIHighAI2026-03-26
CVE-2026-33202 Rails Active Storage has possible glob injection in its DiskService — activestorageCWE-74 8.1 -2026-03-23
CVE-2026-33195 Rails Active Storage has possible Path Traversal in DiskService — activestorageCWE-22 8.8 -2026-03-23
CVE-2026-33176 Rails Active Support has a possible DoS vulnerability in its number helpers — activesupportCWE-400 7.5 -2026-03-23
CVE-2026-33174 Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests — activestorageCWE-789 7.5 -2026-03-23
CVE-2026-33173 Rails Active Storage has possible content type bypass via metadata in direct uploads — activestorageCWE-925 8.1 -2026-03-23
CVE-2026-33170 Rails Active Support has a possible XSS vulnerability in SafeBuffer#% — activesupportCWE-79 8.6 -2026-03-23
CVE-2026-33169 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited — activesupportCWE-400 7.5 -2026-03-23
CVE-2026-33168 Rails has a possible XSS vulnerability in its Action View tag helpers — actionviewCWE-79 6.1 -2026-03-23
CVE-2026-33167 Rails has a possible XSS vulnerability in its Action Pack debug exceptions — actionpackCWE-79 6.1 -2026-03-23
CVE-2025-24293 Active Storage 安全漏洞 — activestorage 9.8AICriticalAI2026-01-30
CVE-2025-55193 Active Record logging vulnerable to ANSI escape injection — railsCWE-150 5.3AIMediumAI2025-08-13
CVE-2023-28362 Rails 安全漏洞 — Action Pack 7.5 -2025-01-09
CVE-2023-23913 Rails 安全漏洞 — rails-ujs 6.1 -2025-01-09
CVE-2023-27539 Rack 安全漏洞 — Rack 7.5 -2025-01-09
CVE-2023-27531 Kredis 安全漏洞 — Kredis JSON 9.8 -2025-01-09
CVE-2023-38037 rails 安全漏洞 — ActiveSupport 5.7AIMediumAI2025-01-09
CVE-2023-28120 Rails 安全漏洞 — ActiveSupport 9.8 -2025-01-09
CVE-2024-54133 Possible Content Security Policy bypass in Action Dispatch — railsCWE-79 6.1 -2024-12-10
CVE-2024-53985 Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 — rails-html-sanitizerCWE-79 6.1 -2024-12-02
CVE-2024-53987 Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 — rails-html-sanitizerCWE-79 6.1 -2024-12-02
CVE-2024-53986 Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 — rails-html-sanitizerCWE-79 6.1 -2024-12-02
CVE-2024-53988 Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 — rails-html-sanitizerCWE-79 6.1 -2024-12-02
CVE-2024-53989 Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 — rails-html-sanitizerCWE-79 6.1 -2024-12-02
CVE-2024-47889 Action Mailer has possible ReDoS vulnerability in block_format — railsCWE-1333 7.5 -2024-10-16
CVE-2024-47888 Action Text has possible ReDoS vulnerability in plain_text_for_blockquote_node — railsCWE-1333 7.5 -2024-10-16
CVE-2024-47887 Action Controller has possible ReDoS vulnerability in HTTP Token authentication — railsCWE-1333 7.5 -2024-10-16
CVE-2024-41128 Action Dispatch has possible ReDoS vulnerability in query parameter filtering — railsCWE-770 7.5 -2024-10-16
CVE-2024-32464 ActionText ContentAttachment can Contain Unsanitized HTML — railsCWE-80 6.1 Medium2024-06-04
CVE-2024-28103 Action Pack is missing security headers on non-HTML responses — railsCWE-20 5.4 Medium2024-06-04

This page lists every published CVE security advisory associated with Rails. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.