OSV - Open Source Vulnerabilities

GHSA-qmpg-8xg6-ph5q

RubyGems/action_text-trix
npm/trix

Trix has a Stored XSS vulnerability through serialized attributes

3 days ago

Fix available
Severity - 4.6 (Medium)

GHSA-mhg6-2q2v-9h2c

RubyGems/sigstore

sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

4 days ago

Fix available
Severity - 7.5 (High)

GHSA-jw5g-f64p-6x78

RubyGems/camaleon_cms

Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation

5 days ago

No fix available
Severity - 6.0 (Medium)

GHSA-hfcp-477w-3wjw

RubyGems/rubyipmi

rubyipmi is vulnerable to OS Command Injection through malicious usernames

27 Feb

Fix available
Severity - 8.3 (High)

MAL-2026-1002

RubyGems/newrubylogger

Malicious code in newrubylogger (RubyGems)

23 Feb

No fix available

MAL-2026-996

RubyGems/rubocop-vintedmetrics

Malicious code in rubocop-vintedmetrics (RubyGems)

20 Feb

No fix available

GHSA-wx95-c6cv-8532

RubyGems/nokogiri

Nokogiri does not check the return value from xmlC14NExecute

18 Feb

Fix available
Severity - 5.3 (Medium)

GHSA-whrj-4476-wvmp

RubyGems/rack

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

17 Feb

Fix available
Severity - 5.4 (Medium)

GHSA-mxw3-3hh2-x2mh

RubyGems/rack

Rack has a Directory Traversal via Rack:Directory

17 Feb

Fix available
Severity - 7.5 (High)

MAL-2026-906

RubyGems/cucumber_json_schema

Malicious code in cucumber_json_schema (RubyGems)

15 Feb

No fix available

GHSA-q66h-m87m-j2q6

RubyGems/bitcoinrb

Bitcoinrb Vulnerable to Command injection via RPC

10 Feb

Fix available
Severity - 2.0 (Low)

GHSA-33mh-2634-fwr2

RubyGems/faraday

Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

09 Feb

Fix available
Severity - 5.8 (Medium)

GHSA-w67g-2h6v-vjgq

RubyGems/phlex

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

06 Feb

Fix available
Severity - 7.1 (High)

GHSA-87fh-rc96-6fr6

RubyGems/spree_api

Unauthenticated Spree Commerce users can access all guest addresses

05 Feb

Fix available
Severity - 7.7 (High)

GHSA-p6pv-q7rc-g4h9

RubyGems/spree_storefront

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

05 Feb

Fix available
Severity - 7.7 (High)

GHSA-3cx6-j9j4-54mp

RubyGems/decidim
RubyGems/decidim-core

Decidim's private data exports can lead to data leaks

03 Feb

Fix available
Severity - 8.2 (High)