CVE-2026-34763

EUVD-2026-18380

02.04.2026, 17:16

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Affected Products (NVD)

Vendor	Product	Version
rack	rack	𝑥 < 2.2.23
rack	rack	3.0.0 ≤ 𝑥 < 3.1.21
rack	rack	3.2.0 ≤ 𝑥 < 3.2.6

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

rmt-server

suse enterprise sap 15 SP7	2.27-150700.3.20.1 fixed
suse enterprise server 15 SP4	2.27-150400.3.54.1 fixed
suse enterprise server 15 SP7	2.27-150700.3.20.1 fixed

rmt-server-config

suse enterprise sap 15 SP7	2.27-150700.3.20.1 fixed
suse enterprise server 15 SP4	2.27-150400.3.54.1 fixed
suse enterprise server 15 SP7	2.27-150700.3.20.1 fixed

rmt-server-pubcloud

suse enterprise server 15 SP4

2.27-150400.3.54.1

fixed

Common Weakness Enumeration

CWE-625 - Permissive Regular Expression
The product uses a regular expression that does not sufficiently restrict the set of allowed values.

References

https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp