MGASA-2026-0226

CVE-2026-26961 Greedy multipart boundary parsing can cause parser differentials and WAF bypass. Forwarded header semicolon injection enables Host and Scheme spoofing. CVE-2026-34230 Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header. CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory. CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root. CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch. CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges. CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters. CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads. CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect. CVE-2026-34831 Content-Length mismatch in Rack::Files error responses. CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.