Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 187e2fef43f9 · 2026-03-23T20:55:38.000Z
GHSA-89vf-4333-qx8v GHSA-cg4j-q9v8-6v38 GHSA-qcfx-2mfw-w4cg
diff --git a/advisories/github-reviewed/2026/03/GHSA-89vf-4333-qx8v/GHSA-89vf-4333-qx8v.json b/advisories/github-reviewed/2026/03/GHSA-89vf-4333-qx8v/GHSA-89vf-4333-qx8v.json
@@ -0,0 +1,119 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-89vf-4333-qx8v",
+  "modified": "2026-03-23T20:53:28Z",
+  "published": "2026-03-23T20:53:28Z",
+  "aliases": [
+    "CVE-2026-33170"
+  ],
+  "summary": "Rails Active Support has a possible XSS vulnerability in SafeBuffer#%",
+  "details": "### Impact\n`SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS.\n\n### Releases\nThe fixed releases are available at the normal locations.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activesupport"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.1.0.beta1"
+            },
+            {
+              "fixed": "8.1.2.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activesupport"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.0.0.beta1"
+            },
+            {
+              "fixed": "8.0.4.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activesupport"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.2.3.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rails/rails"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-23T20:53:28Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-cg4j-q9v8-6v38/GHSA-cg4j-q9v8-6v38.json b/advisories/github-reviewed/2026/03/GHSA-cg4j-q9v8-6v38/GHSA-cg4j-q9v8-6v38.json
@@ -0,0 +1,120 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cg4j-q9v8-6v38",
+  "modified": "2026-03-23T20:52:40Z",
+  "published": "2026-03-23T20:52:40Z",
+  "aliases": [
+    "CVE-2026-33169"
+  ],
+  "summary": "Rails Active Support has a possible ReDoS vulnerability in number_to_delimited",
+  "details": "### Impact\n`NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.\n\n### Releases\nThe fixed releases are available at the normal locations.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activesupport"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.1.0.beta1"
+            },
+            {
+              "fixed": "8.1.2.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activesupport"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.0.0.beta1"
+            },
+            {
+              "fixed": "8.0.4.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activesupport"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.2.3.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rails/rails"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1333",
+      "CWE-400"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-23T20:52:40Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-qcfx-2mfw-w4cg/GHSA-qcfx-2mfw-w4cg.json b/advisories/github-reviewed/2026/03/GHSA-qcfx-2mfw-w4cg/GHSA-qcfx-2mfw-w4cg.json
@@ -0,0 +1,119 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qcfx-2mfw-w4cg",
+  "modified": "2026-03-23T20:54:16Z",
+  "published": "2026-03-23T20:54:16Z",
+  "aliases": [
+    "CVE-2026-33173"
+  ],
+  "summary": "Rails Active Storage has possible content type bypass via metadata in direct uploads",
+  "details": "### Impact\nActive Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a malicious direct-upload client could set these flags.\n\n### Releases\nThe fixed releases are available at the normal locations.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activestorage"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.1.0.beta1"
+            },
+            {
+              "fixed": "8.1.2.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activestorage"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.0.0.beta1"
+            },
+            {
+              "fixed": "8.0.4.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activestorage"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.2.3.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rails/rails"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-925"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-23T20:54:16Z",
+    "nvd_published_at": null
+  }
+}
