CVE-2026-25500

EUVD-2026-7916
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
rackrack
𝑥
< 2.2.22
rackrack
3.0.0 ≤
𝑥
< 3.1.20
rackrack
3.2.0 ≤
𝑥
< 3.2.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-rack
bookworm
vulnerable
bookworm (security)
2.2.22-0+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
2.1.4-3+deb11u5
fixed
forky
3.2.5-2
fixed
sid
3.2.5-2
fixed
trixie
vulnerable
trixie (security)
3.1.20-0+deb13u1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp