OSV - Open Source Vulnerabilities

GHSA-hfcp-477w-3wjw

RubyGems/rubyipmi

rubyipmi is vulnerable to OS Command Injection through malicious usernames

6 days ago

Fix available
Severity - 8.3 (High)

MAL-2026-1002

RubyGems/newrubylogger

Malicious code in newrubylogger (RubyGems)

23 Feb

No fix available

MAL-2026-996

RubyGems/rubocop-vintedmetrics

Malicious code in rubocop-vintedmetrics (RubyGems)

20 Feb

No fix available

GHSA-wx95-c6cv-8532

RubyGems/nokogiri

Nokogiri does not check the return value from xmlC14NExecute

18 Feb

Fix available
Severity - 5.3 (Medium)

GHSA-whrj-4476-wvmp

RubyGems/rack

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

17 Feb

Fix available
Severity - 5.4 (Medium)

GHSA-mxw3-3hh2-x2mh

RubyGems/rack

Rack has a Directory Traversal via Rack:Directory

17 Feb

Fix available
Severity - 7.5 (High)

MAL-2026-906

RubyGems/cucumber_json_schema

Malicious code in cucumber_json_schema (RubyGems)

15 Feb

No fix available

GHSA-q66h-m87m-j2q6

RubyGems/bitcoinrb

Bitcoinrb Vulnerable to Command injection via RPC

10 Feb

Fix available
Severity - 2.0 (Low)

GHSA-33mh-2634-fwr2

RubyGems/faraday

Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

09 Feb

Fix available
Severity - 5.8 (Medium)

GHSA-w67g-2h6v-vjgq

RubyGems/phlex

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

06 Feb

Fix available
Severity - 7.1 (High)

GHSA-87fh-rc96-6fr6

RubyGems/spree_api

Unauthenticated Spree Commerce users can access all guest addresses

05 Feb

Fix available
Severity - 7.7 (High)

GHSA-p6pv-q7rc-g4h9

RubyGems/spree_storefront

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

05 Feb

Fix available
Severity - 7.7 (High)

GHSA-3cx6-j9j4-54mp

RubyGems/decidim
RubyGems/decidim-core

Decidim's private data exports can lead to data leaks

03 Feb

Fix available
Severity - 8.2 (High)

GHSA-2qxw-7fmx-gqfm

RubyGems/foreman_kubevirt

foreman_kubevirt disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set

02 Feb

Fix available
Severity - 8.1 (High)

GHSA-m3hq-3qj8-c5fm

RubyGems/fog-kubevirt

fog-kubevirt allows remote attacker to perform MITM attack due to disabled certificate validation

02 Feb

Fix available
Severity - 8.1 (High)

GHSA-2762-657x-v979

RubyGems/alchemy_cms

AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

21 Jan

Fix available
Severity - 6.4 (Medium)