wid-sec-w-2026-0833 · Published 2026-03-23 · View on BSI CERT-Bund ↗

Ruby on Rails: Multiple Vulnerabilities

CVSS 8.0 HIGH

Risk Summary

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVEs (10)

CVE-2026-33169 CVE-2026-33174 CVE-2026-33176 CVE-2026-33658 CVE-2026-33173 CVE-2026-33195 CVE-2026-33202 CVE-2026-33167 CVE-2026-33168 CVE-2026-33170

Affected Vendors

Open Source

Affected Products (6)

Open Source · Ruby on Rails <7.2.3.1

Open Source · Ruby on Rails 7.2.3.1

Open Source · Ruby on Rails <8.0.4.1

Open Source · Ruby on Rails 8.0.4.1

Open Source · Ruby on Rails <8.1.2.1

Open Source · Ruby on Rails 8.1.2.1

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more