Vulnerable Library - chromedriver-helper-2.1.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Exploit Maturity |
EPSS |
Dependency |
Type |
Fixed in (chromedriver-helper version) |
Remediation Possible** |
Reachability |
| WS-2022-0089 |
High |
8.8 |
Not Defined |
|
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2021-3518 |
High |
8.8 |
Not Defined |
3.653% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2021-30560 |
High |
8.8 |
Not Defined |
21.623% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2021-3517 |
High |
8.6 |
Not Defined |
8.28% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2022-29181 |
High |
8.2 |
Not Defined |
3.078% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2024-34459 |
High |
7.5 |
Not Defined |
2.298% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2022-24836 |
High |
7.5 |
Not Defined |
3.549% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2021-41098 |
High |
7.5 |
Not Defined |
1.374% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2018-25032 |
High |
7.5 |
Not Defined |
52.063% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2026-57235 |
Medium |
6.5 |
Not Defined |
0.331% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2026-57438 |
Medium |
6.2 |
Not Defined |
0.093% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2021-3537 |
Medium |
5.9 |
Not Defined |
3.503% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2026-57437 |
Medium |
5.3 |
Not Defined |
0.312% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2026-57436 |
Medium |
5.3 |
Not Defined |
0.312% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2026-57435 |
Medium |
5.3 |
Not Defined |
0.357% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2026-57434 |
Medium |
5.3 |
Not Defined |
0.357% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2026-57236 |
Medium |
5.3 |
Not Defined |
0.331% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2025-6490 |
Low |
3.3 |
Proof of concept |
0.152% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2026-57234 |
Low |
2.6 |
Not Defined |
0.166% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2020-26247 |
Low |
2.6 |
Not Defined |
1.109% |
nokogiri-1.10.8.gem |
Transitive |
N/A* |
❌ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2022-0089
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Summary Nokogiri "v1.13.2" (https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies: - vendored libxml2 from v2.9.12 to "v2.9.13" (https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news) - vendored libxslt from v1.1.34 to "v1.1.35" (https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news) Those library versions address the following upstream CVEs: - libxslt: "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity) - libxml2: "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below) Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. Please note that this advisory only applies to the CRuby implementation of Nokogiri "< 1.13.2", and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's "libxml2" and "libxslt" release announcements. Mitigation Upgrade to Nokogiri ">= 1.13.2". Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 ">= 2.9.13" and libxslt ">= 1.1.35", which will also address these same CVEs. Impact libxslt "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) - CVSS3 score: 8.8 (High) - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c All versions of libxslt prior to v1.1.35 are affected. Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. libxml2 "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options "DTDVALID" set to true, and "NOENT" set to false. An analysis of these parse options: - While "NOENT" is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. - "DTDVALID" is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. It seems reasonable to assume that any application explicitly setting the parse option "DTDVALID" when parsing untrusted documents is vulnerable and should be upgraded immediately.
Publish Date: 2026-05-28
URL: WS-2022-0089
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fq42-c5rg-92c2
Release Date: 2024-12-05
Fix Resolution: nokogiri - v1.13.2
CVE-2021-3518
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Publish Date: 2021-05-18
URL: CVE-2021-3518
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.653%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-3518
Release Date: 2021-05-18
Fix Resolution: libxml2 - 2.9.12
CVE-2021-30560
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Publish Date: 2021-08-03
URL: CVE-2021-30560
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 21.623%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-30560
Release Date: 2021-08-03
Fix Resolution: v1.1.35,libxslt - 1.1.35
CVE-2021-3517
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
Publish Date: 2021-05-19
URL: CVE-2021-3517
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 8.28%
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-3517
Release Date: 2021-05-19
Fix Resolution: libxml2 - 2.9.12
CVE-2022-29181
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a "String" by calling "#to_s" or equivalent.
Publish Date: 2022-05-20
URL: CVE-2022-29181
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.078%
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
Release Date: 2022-05-20
Fix Resolution: nokogiri - 1.13.6
CVE-2024-34459
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.
Publish Date: 2024-05-13
URL: CVE-2024-34459
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.298%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2022-24836
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.
Publish Date: 2022-04-11
URL: CVE-2022-24836
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.549%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-crjr-9rc5-ghw8
Release Date: 2022-04-11
Fix Resolution: nokogiri - 1.13.4
CVE-2021-41098
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Publish Date: 2021-09-27
URL: CVE-2021-41098
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.374%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098
Release Date: 2021-09-27
Fix Resolution: nokogiri - 1.12.5
CVE-2018-25032
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Publish Date: 2022-03-25
URL: CVE-2018-25032
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 52.063%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2018-25032
Release Date: 2022-03-25
Fix Resolution: zlib - 1.2.12
CVE-2026-57235
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57235
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.331%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5prr-v3j2-97mh
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
CVE-2026-57438
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each "xi:include" (xi:include) in place, freeing the include node along with its children (such as "xi:fallback" (xi:fallback) and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-06-25
URL: CVE-2026-57438
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.093%
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wfpw-mmfh-qq69
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
CVE-2021-3537
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
Publish Date: 2021-05-14
URL: CVE-2021-3537
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.503%
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-3537
Release Date: 2021-05-14
Fix Resolution: libxml2 - 2.9.12
CVE-2026-57437
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57437
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.312%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p67v-3w7g-wjg7
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
CVE-2026-57436
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57436
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.312%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wjv4-x9w8-wm3h
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
CVE-2026-57435
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57435
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.357%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-phwj-rprq-35pp
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
CVE-2026-57434
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57434
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.357%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9cv2-cfxc-v4v2
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
CVE-2026-57236
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57236
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.331%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v8h-3h3q-446p
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
CVE-2025-6490
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.
Publish Date: 2025-06-22
URL: CVE-2025-6490
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.152%
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
CVE-2026-57234
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57234
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.166%
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8678-w3jw-xfc2
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
CVE-2020-26247
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Publish Date: 2020-12-30
URL: CVE-2020-26247
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.109%
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-30
Fix Resolution: 1.11.0.rc4
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Summary Nokogiri "v1.13.2" (https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies: - vendored libxml2 from v2.9.12 to "v2.9.13" (https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news) - vendored libxslt from v1.1.34 to "v1.1.35" (https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news) Those library versions address the following upstream CVEs: - libxslt: "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity) - libxml2: "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below) Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. Please note that this advisory only applies to the CRuby implementation of Nokogiri "< 1.13.2", and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's "libxml2" and "libxslt" release announcements. Mitigation Upgrade to Nokogiri ">= 1.13.2". Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 ">= 2.9.13" and libxslt ">= 1.1.35", which will also address these same CVEs. Impact libxslt "CVE-2021-30560" (https://nvd.nist.gov/vuln/detail/CVE-2021-30560) - CVSS3 score: 8.8 (High) - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c All versions of libxslt prior to v1.1.35 are affected. Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. libxml2 "CVE-2022-23308" (https://nvd.nist.gov/vuln/detail/CVE-2022-23308) - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options "DTDVALID" set to true, and "NOENT" set to false. An analysis of these parse options: - While "NOENT" is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. - "DTDVALID" is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. It seems reasonable to assume that any application explicitly setting the parse option "DTDVALID" when parsing untrusted documents is vulnerable and should be upgraded immediately.
Publish Date: 2026-05-28
URL: WS-2022-0089
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fq42-c5rg-92c2
Release Date: 2024-12-05
Fix Resolution: nokogiri - v1.13.2
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Publish Date: 2021-05-18
URL: CVE-2021-3518
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.653%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-3518
Release Date: 2021-05-18
Fix Resolution: libxml2 - 2.9.12
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Publish Date: 2021-08-03
URL: CVE-2021-30560
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 21.623%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-30560
Release Date: 2021-08-03
Fix Resolution: v1.1.35,libxslt - 1.1.35
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
Publish Date: 2021-05-19
URL: CVE-2021-3517
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 8.28%
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-3517
Release Date: 2021-05-19
Fix Resolution: libxml2 - 2.9.12
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a "String" by calling "#to_s" or equivalent.
Publish Date: 2022-05-20
URL: CVE-2022-29181
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.078%
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
Release Date: 2022-05-20
Fix Resolution: nokogiri - 1.13.6
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.
Publish Date: 2024-05-13
URL: CVE-2024-34459
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.298%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri
< v1.13.4contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri>= 1.13.4. There are no known workarounds for this issue.Publish Date: 2022-04-11
URL: CVE-2022-24836
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.549%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-crjr-9rc5-ghw8
Release Date: 2022-04-11
Fix Resolution: nokogiri - 1.13.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Publish Date: 2021-09-27
URL: CVE-2021-41098
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.374%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098
Release Date: 2021-09-27
Fix Resolution: nokogiri - 1.12.5
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Publish Date: 2022-03-25
URL: CVE-2018-25032
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 52.063%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2018-25032
Release Date: 2022-03-25
Fix Resolution: zlib - 1.2.12
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57235
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.331%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5prr-v3j2-97mh
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each "xi:include" (xi:include) in place, freeing the include node along with its children (such as "xi:fallback" (xi:fallback) and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-06-25
URL: CVE-2026-57438
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.093%
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wfpw-mmfh-qq69
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
Publish Date: 2021-05-14
URL: CVE-2021-3537
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.503%
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-3537
Release Date: 2021-05-14
Fix Resolution: libxml2 - 2.9.12
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57437
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.312%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p67v-3w7g-wjg7
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57436
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.312%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wjv4-x9w8-wm3h
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57435
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.357%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-phwj-rprq-35pp
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57434
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.357%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9cv2-cfxc-v4v2
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57236
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.331%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5v8h-3h3q-446p
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.
Publish Date: 2025-06-22
URL: CVE-2025-6490
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.152%
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
Publish Date: 2026-06-25
URL: CVE-2026-57234
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.166%
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8678-w3jw-xfc2
Release Date: 2026-06-25
Fix Resolution: nokogiri - 1.19.4
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Publish Date: 2020-12-30
URL: CVE-2020-26247
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.109%
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-12-30
Fix Resolution: 1.11.0.rc4