Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Rails — Vulnerabilities & Security Advisories 45

Browse all 45 CVE security advisories affecting Rails. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Rails is a widely adopted web application framework designed to accelerate development through convention over configuration, primarily powering dynamic websites and APIs. Its extensive ecosystem has historically exposed it to diverse security challenges, with recorded vulnerabilities frequently involving remote code execution, cross-site scripting, and SQL injection. Privilege escalation and mass assignment issues also appear commonly due to the framework’s automatic parameter binding mechanisms. While recent versions have significantly hardened default configurations, legacy applications remain susceptible to injection attacks and insecure deserialization. Notable incidents often stem from misconfigured generators or outdated dependencies rather than core framework flaws. The sheer volume of forty-five CVEs reflects its long market presence and complexity. Developers must prioritize regular dependency updates and strict input validation to mitigate risks, ensuring that the framework’s convenience does not compromise application integrity against evolving threat landscapes.

Top products by Rails: rails rails-html-sanitizer activestorage ActiveSupport https://github.com/rails/rails actionview Action Pack Kredis JSON Rack rails-ujs actionpack
CVE IDTitleCVSSSeverityPublished
CVE-2024-26144 Possible Sensitive Session Information Leak in Active Storage — railsCWE-200 5.3 Medium2024-02-27
CVE-2024-26143 Rails Possible XSS Vulnerability in Action Controller — railsCWE-79 6.1 Medium2024-02-27
CVE-2024-26142 Rails possible ReDoS vulnerability in Accept header parsing in Action Dispatch — railsCWE-1333 7.5 High2024-02-27
CVE-2022-23520 rails-html-sanitizer contains an incomplete fix for an XSS vulnerability — rails-html-sanitizerCWE-79 6.1 Medium2022-12-14
CVE-2022-23519 Possible XSS vulnerability with certain configurations of rails-html-sanitizer — rails-html-sanitizerCWE-79 7.2 High2022-12-14
CVE-2022-23518 Improper neutralization of data URIs allows XSS in rails-html-sanitizer — rails-html-sanitizerCWE-79 6.1 -2022-12-14
CVE-2022-23517 Inefficient Regular Expression Complexity in rails-html-sanitizer — rails-html-sanitizerCWE-1333 7.5 High2022-12-14
CVE-2022-23633 Exposure of sensitive information in Action Pack — railsCWE-200 7.4 High2022-02-11
CVE-2020-15169 XSS in Action View — actionviewCWE-79 5.4 Medium2020-09-11
CVE-2020-5267 Possible XSS vulnerability in ActionView — actionviewCWE-80 4.0 Medium2020-03-19
CVE-2010-3299 Ruby on Rails 安全漏洞 — rails 5.3 -2019-11-12
CVE-2019-5420 Ruby on Rails 安全特征问题漏洞 — https://github.com/rails/railsCWE-77 9.8 -2019-03-27
CVE-2019-5419 Rails 资源管理错误漏洞 — https://github.com/rails/railsCWE-400 7.5 -2019-03-27
CVE-2019-5418 Action View 信息泄露漏洞 — https://github.com/rails/railsCWE-22 7.5 -2019-03-27
CVE-2018-3741 rails-html-sanitizer gem for Ruby 跨站脚本漏洞 — rails-html-sanitizerCWE-79 6.1 -2018-03-30

This page lists every published CVE security advisory associated with Rails. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.