| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41316 | ERB has an @_init deserialization guard bypass via def_module / def_method / def_class | ruby | erb | High | 8.1 | 2026-04-24 02:35:41 | Deep Dive |
| CVE-2026-27820 | zlib: Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption | ruby | zlib | 中危 | - | 2026-04-16 17:27:49 | Deep Dive |
| CVE-2026-40070 | bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) | sgbett | bsv-ruby-sdk | High | 8.1 | 2026-04-09 17:26:51 | Deep Dive |
| CVE-2026-40069 | bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts | sgbett | bsv-ruby-sdk | High | 7.5 | 2026-04-09 17:22:28 | Deep Dive |
| CVE-2026-34060 | Ruby LSP has arbitrary code execution through branch setting | Shopify | ruby-lsp | - | - | 2026-03-31 01:59:51 | Deep Dive |
| CVE-2026-33946 | MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay | modelcontextprotocol | ruby-sdk | 中危 | - | 2026-03-27 21:20:08 | Deep Dive |
| CVE-2026-33306 | bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby | bcrypt-ruby | bcrypt-ruby | 中危 | - | 2026-03-24 00:08:00 | Deep Dive |
| CVE-2026-33210 | Ruby JSON has a format string injection vulnerability | ruby | json | 中危 | - | 2026-03-20 22:57:09 | Deep Dive |
| CVE-2026-31830 | sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest | sigstore | sigstore-ruby | High | 7.5 | 2026-03-10 21:46:03 | Deep Dive |
| CVE-2026-2302 | Unsafe Reflection in Mongoid::Criteria.from_hash | MongoDB Inc | MongoDB Ruby Driver | Medium | 6.5 | 2026-02-10 18:59:24 | Deep Dive |
| CVE-2025-61594 | URI Credential Leakage Bypass over CVE-2025-27221 | ruby | uri | 中危 | - | 2025-12-30 21:03:09 | Deep Dive |
| CVE-2025-14762 | AWS SDK for Ruby 安全漏洞 | AWS | AWS SDK for Ruby | Medium | 5.3 | 2025-12-17 20:15:58 | Deep Dive |
| CVE-2025-66568 | ruby-saml Libxml2 Canonicalization errors can bypass Digest/Signature validation | SAML-Toolkits | ruby-saml | - | - | 2025-12-09 02:03:20 | Deep Dive |
| CVE-2025-66567 | ruby-saml has a SAML authentication bypass due to namespace handling (parser differential) | SAML-Toolkits | ruby-saml | - | - | 2025-12-09 01:55:06 | Deep Dive |
| CVE-2025-12790 | Rubygem-mqtt: rubygem-mqtt hostname validation | Nicholas J Humfrey | ruby-mqtt | High | 7.4 | 2025-11-06 21:07:35 | Deep Dive |
| CVE-2025-58767 | REXML has a DoS condition when parsing malformed XML file | ruby | rexml | - | - | 2025-09-17 17:45:58 | Deep Dive |
| CVE-2025-54887 | jwe: Missing AES-GCM authentication tag validation in encrypted JWEs | jwt | ruby-jwe | Critical | 9.1 | 2025-08-08 00:06:20 | Deep Dive |
| CVE-2025-54572 | Ruby SAML DOS vulnerability with large SAML response | SAML-Toolkits | ruby-saml | - | - | 2025-07-30 14:05:44 | Deep Dive |
| CVE-2025-24294 | Ruby 安全漏洞 | Ruby | resolv | - | - | 2025-07-12 03:30:40 | Deep Dive |
| CVE-2025-6442 | Ruby WEBrick read_header HTTP Request Smuggling Vulnerability | Ruby | WEBrick | - | - | 2025-06-25 16:52:25 | Deep Dive |