DEBIAN-CVE-2026-25500
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-25500
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25500.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-25500
- Upstream
- Published
- 2026-02-18T20:18:36.110Z
- Modified
- 2026-02-19T17:21:46.832523Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5,
Rack::Directorygenerates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with thejavascript:scheme (e.g.javascript:alert(1)), the generated index contains an anchor whosehrefis exactlyjavascript:alert(1). Clicking the entry executes JavaScript in the browser (demonstrated withalert(1)). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue. - References
Affected packages
Debian:11 / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/debian/ruby-rack?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2.*
2.1.4-3
2.1.4-3+deb11u1
2.1.4-3+deb11u2
2.1.4-3+deb11u3
2.1.4-3+deb11u4
2.1.4-4
2.1.4-5
2.2.3-1
2.2.3-2
2.2.3-3
2.2.3-4
2.2.4-1
2.2.4-2
2.2.4-3
2.2.6.4-1
2.2.7-1
2.2.7-1.1
2.2.13-1~deb12u1
3.*
3.0.0-1
3.0.8-1
3.0.8-2
3.0.8-3
3.0.8-4
3.1.9-1~exp1
3.1.9-2
3.1.12-1
3.1.12-2~exp1
3.1.16-0.1
3.1.18-1~deb13u1
3.1.18-1
3.2.4-1
Debian:12 / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/debian/ruby-rack?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Debian:13 / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/debian/ruby-rack?arch=source
Debian:14 / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/debian/ruby-rack?arch=source