Facets

How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!


Latest Gem Vulnerabilities

CVE-2020-26298 in redcarpet
Severe

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used.
Read more →

Published 8 days ago
CVE-2020-26247 in nokogiri
Severe

### Description In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema` are **trusted** by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all...
Read more →

Published 20 days ago
CVE-2020-26254 in omniauth-apple
Severe

### Impact This vulnerability impacts applications using the [omniauth-apple](https://github.com/nhosoya/omniauth-apple) strategy of OmniAuth and using the `info.email` field of OmniAuth's [Auth Hash Schema](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema) for any kind of identification. The value of this field may be set to any...
Read more →

Published about 1 month ago
CVE-2020-26222 in dependabot-common
Severe

### Impact Remote code execution vulnerability in `dependabot-common` and `dependabot-go_modules` when a source branch name contains malicious injectable bash code. For example, if Dependabot is configured to use the following source branch name: `"/$({curl,127.0.0.1})"`, Dependabot will make a HTTP request to the following URL:...
Read more →

Published 2 months ago
CVE-2020-26223 in spree_api
Severe

### Impact The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
Read more →

Published 2 months ago

Vulnerabilities in the Past 12 Months

Vulnerabilities
Feb 3
Mar 6
Apr 2
May 13
Jun 5
Jul 2
Aug 4
Sep 3
Oct 4
Nov 3
Dec 2
Jan 1

Vulnerabilities in the Past 6 Years

Vulnerabilities
2016 34
2017 35
2018 36
2019 47
2020 50
2021 1