CVE-2026-34060

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-34060

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34060.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-34060

Aliases

GHSA-c4r5-fxqw-vh93

Downstream

DEBIAN-CVE-2026-34060

Published

2026-03-31T01:59:51.170Z

Modified

2026-04-10T05:43:21.785691Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Ruby LSP has arbitrary code execution through branch setting

Details

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

Database specific

{
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34060.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/shopify/ruby-lsp

Affected ranges

Type

GIT

Repo

https://github.com/shopify/ruby-lsp

Events

Introduced

Fixed

29ecc8d29dde87e6157a75bc2f0a3eb62db02ea3

Fixed

9e53e7e8366a13e44079f252ee8e5d5000803fe2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.26.9"
        },
        {
            "fixed": "0.10.2"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.1.0

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.11.2

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.12.4

v0.12.5

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.14.5

v0.14.6

v0.15.0

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.16.6

v0.16.7

v0.17.0

v0.17.1

v0.17.10

v0.17.11

v0.17.12

v0.17.13

v0.17.14

v0.17.15

v0.17.16

v0.17.17

v0.17.2

v0.17.3

v0.17.4

v0.17.5

v0.17.6

v0.17.7

v0.17.8

v0.17.9

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.19.0

v0.19.1

v0.2.0

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.21.2

v0.21.3

v0.22.0

v0.22.1

v0.23.0

v0.23.1

v0.23.10

v0.23.11

v0.23.12

v0.23.13

v0.23.14

v0.23.15

v0.23.16

v0.23.17

v0.23.18

v0.23.19

v0.23.2

v0.23.20

v0.23.21

v0.23.22

v0.23.23

v0.23.24

v0.23.3

v0.23.4

v0.23.5

v0.23.6

v0.23.7

v0.23.8

v0.23.9

v0.24.0

v0.24.1

v0.24.2

v0.25.0

v0.26.0

v0.26.1

v0.26.2

v0.26.3

v0.26.4

v0.26.5

v0.26.6

v0.26.7

v0.26.8

v0.3.0

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.5.0

v0.5.1

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.8.0

v0.8.1

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v0.9.4

vscode-ruby-lsp-v0.*

vscode-ruby-lsp-v0.10.0

vscode-ruby-lsp-v0.10.1

vscode-ruby-lsp-v0.10.2

vscode-ruby-lsp-v0.5.11

vscode-ruby-lsp-v0.5.12

vscode-ruby-lsp-v0.5.13

vscode-ruby-lsp-v0.5.14

vscode-ruby-lsp-v0.5.15

vscode-ruby-lsp-v0.5.16

vscode-ruby-lsp-v0.5.17

vscode-ruby-lsp-v0.5.18

vscode-ruby-lsp-v0.5.19

vscode-ruby-lsp-v0.5.20

vscode-ruby-lsp-v0.5.21

vscode-ruby-lsp-v0.7.0

vscode-ruby-lsp-v0.7.1

vscode-ruby-lsp-v0.7.10

vscode-ruby-lsp-v0.7.11

vscode-ruby-lsp-v0.7.12

vscode-ruby-lsp-v0.7.13

vscode-ruby-lsp-v0.7.14

vscode-ruby-lsp-v0.7.15

vscode-ruby-lsp-v0.7.16

vscode-ruby-lsp-v0.7.17

vscode-ruby-lsp-v0.7.18

vscode-ruby-lsp-v0.7.19

vscode-ruby-lsp-v0.7.2

vscode-ruby-lsp-v0.7.20

vscode-ruby-lsp-v0.7.4

vscode-ruby-lsp-v0.7.5

vscode-ruby-lsp-v0.7.6

vscode-ruby-lsp-v0.7.8

vscode-ruby-lsp-v0.8.0

vscode-ruby-lsp-v0.8.1

vscode-ruby-lsp-v0.8.10

vscode-ruby-lsp-v0.8.12

vscode-ruby-lsp-v0.8.13

vscode-ruby-lsp-v0.8.14

vscode-ruby-lsp-v0.8.15

vscode-ruby-lsp-v0.8.16

vscode-ruby-lsp-v0.8.17

vscode-ruby-lsp-v0.8.18

vscode-ruby-lsp-v0.8.19

vscode-ruby-lsp-v0.8.2

vscode-ruby-lsp-v0.8.20

vscode-ruby-lsp-v0.8.3

vscode-ruby-lsp-v0.8.4

vscode-ruby-lsp-v0.8.5

vscode-ruby-lsp-v0.8.6

vscode-ruby-lsp-v0.8.7

vscode-ruby-lsp-v0.8.8

vscode-ruby-lsp-v0.8.9

vscode-ruby-lsp-v0.9.10

vscode-ruby-lsp-v0.9.11

vscode-ruby-lsp-v0.9.12

vscode-ruby-lsp-v0.9.13

vscode-ruby-lsp-v0.9.14

vscode-ruby-lsp-v0.9.15

vscode-ruby-lsp-v0.9.16

vscode-ruby-lsp-v0.9.17

vscode-ruby-lsp-v0.9.18

vscode-ruby-lsp-v0.9.19

vscode-ruby-lsp-v0.9.2

vscode-ruby-lsp-v0.9.20

vscode-ruby-lsp-v0.9.21

vscode-ruby-lsp-v0.9.22

vscode-ruby-lsp-v0.9.23

vscode-ruby-lsp-v0.9.24

vscode-ruby-lsp-v0.9.25

vscode-ruby-lsp-v0.9.26

vscode-ruby-lsp-v0.9.27

vscode-ruby-lsp-v0.9.28

vscode-ruby-lsp-v0.9.29

vscode-ruby-lsp-v0.9.3

vscode-ruby-lsp-v0.9.30

vscode-ruby-lsp-v0.9.31

vscode-ruby-lsp-v0.9.32

vscode-ruby-lsp-v0.9.33

vscode-ruby-lsp-v0.9.5

vscode-ruby-lsp-v0.9.6

vscode-ruby-lsp-v0.9.7

vscode-ruby-lsp-v0.9.8

vscode-ruby-lsp-v0.9.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34060.json"