5.3

CVE-2026-34763

EPSS 0.04%
Veröffentlicht 02.04.2026 16:43:42
Zuletzt bearbeitet 16.04.2026 17:26:24
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rack ≫ Rack SwPlatformruby Version < 2.2.23

Rack ≫ Rack SwPlatformruby Version >= 3.0.0 < 3.1.21

Rack ≫ Rack SwPlatformruby Version >= 3.2.0 < 3.2.6

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.124

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-625 Permissive Regular Expression

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-34763

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34763

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34763

EUVD