Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

rack — Vulnerabilities & Security Advisories 37

Browse all 37 CVE security advisories affecting rack. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Rack serves as a container orchestration platform, enabling developers to deploy and manage applications within isolated environments. Its architecture, which relies heavily on API interactions and web interfaces, has historically exposed it to a range of critical vulnerabilities. Among the 37 recorded CVEs, Remote Code Execution (RCE) and Cross-Site Scripting (XSS) represent the most prevalent threat vectors, often stemming from insufficient input validation in administrative endpoints. Additionally, privilege escalation flaws have allowed unauthorized users to gain elevated access, compromising the integrity of hosted workloads. While the platform offers robust isolation features, its complex dependency chain and frequent updates have occasionally introduced security gaps. These incidents highlight the necessity for rigorous patch management and strict access controls to mitigate risks associated with its containerized infrastructure.

Top products by rack: Rack rack-session rack-contrib
CVE IDTitleCVSSSeverityPublished
CVE-2026-39324 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization — rack-sessionCWE-287 7.4AIHighAI2026-04-07
CVE-2026-26962 Rack: Header injection in multipart requests — rackCWE-93 4.8 Medium2026-04-02
CVE-2026-34835 Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass. — rackCWE-1286 4.8 Medium2026-04-02
CVE-2026-34827 Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser — rackCWE-407 7.5 High2026-04-02
CVE-2026-32762 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing — rackCWE-436 4.8 Medium2026-04-02
CVE-2026-34830 Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx — rackCWE-625 5.9 Medium2026-04-02
CVE-2026-34829 Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length — rackCWE-400 7.5 High2026-04-02
CVE-2026-34826 Rack: Unbounded Range Count in get_byte_ranges Enables DoS — rackCWE-400 5.3 Medium2026-04-02
CVE-2026-34786 Rack: Rack::Static header_rules bypass via URL-encoded paths — rackCWE-180 5.3 Medium2026-04-02
CVE-2026-34785 Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching — rackCWE-187 7.5 High2026-04-02
CVE-2026-34763 Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation — rackCWE-625 5.3 Medium2026-04-02
CVE-2026-34831 Rack: Content-Length mismatch in Rack::Files error responses — rackCWE-130 4.8 Medium2026-04-02
CVE-2026-26961 Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass — rackCWE-436 3.7 Low2026-04-02
CVE-2026-34230 Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header — rackCWE-400 5.3 Medium2026-04-02
CVE-2026-25500 Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href — rackCWE-79 5.4 Medium2026-02-18
CVE-2026-22860 Rack has a Directory Traversal via Rack:Directory — rackCWE-22 7.5 High2026-02-18
CVE-2025-61919 Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing — rackCWE-400 7.5 High2025-10-10
CVE-2025-61780 Rack has Possible Information Disclosure Vulnerability — rackCWE-200 5.8 Medium2025-10-10
CVE-2025-61772 Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) — rackCWE-400 7.5 High2025-10-07
CVE-2025-61771 Rack's multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion) — rackCWE-400 7.5 High2025-10-07
CVE-2025-61770 Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) — rackCWE-400 7.5 High2025-10-07
CVE-2025-59830 Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters — rackCWE-400 7.5 High2025-09-25
CVE-2025-49007 ReDoS Vulnerability in Rack::Multipart handle_mime_head — rackCWE-770 7.5AIHighAI2025-06-04
CVE-2025-46336 Rack session gets restored after deletion — rack-sessionCWE-362 4.2 Medium2025-05-08
CVE-2025-46727 Unbounded-Parameter DoS in Rack::QueryParser — rackCWE-400 7.5 High2025-05-07
CVE-2025-32441 Rack session gets restored after deletion — rackCWE-362 4.2 Medium2025-05-07
CVE-2025-27610 Local File Inclusion in Rack::Static — rackCWE-23 7.5 High2025-03-10
CVE-2025-27111 Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection — rackCWE-93 5.3 -2025-03-04
CVE-2025-25184 Possible Log Injection in Rack::CommonLogger — rackCWE-93 4.3 -2025-02-12
CVE-2024-39316 Rack ReDoS Vulnerability in HTTP Accept Headers Parsing — rackCWE-1333 6.5 Medium2024-07-02

This page lists every published CVE security advisory associated with rack. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.