CVE Archive

RubyGems Vulnerability Archive

Recent and critical CVEs affecting RubyGems packages. Kodem’s runtime-powered SCA identifies which are actually reachable in your applications.

Top affected packages
Recent RubyGems CVEs
CVE
Package / summary
Severity
CVE-2026-54592
oj · Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input
High
CVE-2026-54500
oj · Oj: intern.c form_attr (uninitialized stack read)
Medium
CVE-2026-54297
faraday · Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion…
High
CVE-2026-55518
avo · Avo: Missing Authorization in Avo Association Attach Endpoint Allows…
Critical
CVE-2026-12515
katello · katello: missing repository authorization in content_uploads exposes…
Medium
CVE-2026-47737
puma · Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent…
High
CVE-2026-47736
puma · Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
High
CVE-2026-44587
carrierwave · CarrierWave has a denylisted_content_type bypass via Unescaped Regex…
Medium
CVE-2026-45363
jwt · ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351
High
CVE-2026-44837
view_component · view_component: System Test Entry Point Path Check Allows Sibling Directory…
Medium
CVE-2026-44836
view_component · view_component: Preview Route Can Dispatch Inherited Helper Methods
Medium
CVE-2026-40295
devise · Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable…
Medium
CVE-2025-67202
sidekiq-cron · Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via…
Medium
CVE-2026-44511
katalyst-koi · katalyst-koi: Session cookies can be replayed after user logout
High
CVE-2026-44312
css_parser · CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS…
Medium

Stop the waste.
Protect your environment with Kodem.

Get a personalized demo
Get a personalized demo