Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Ruby on rails Number Of NVD 106 CRITICAL 3 HIGH 34 MEDIUM 68 LOW 1
URL https://rubyonrails.org/
Explanation This is the most famous framework in Ruby.
Its basic philosophy is "Don't Repeat Yourself" and "Convention over Configuration".
Model View Controller (MVC) is used.

The latest major release contains bug fixes and security fixes.
The previous major release contains security fixes.
Earlier major releases are no longer supported.

Serious security issues may be addressed outside of support.
Tag
  • Ruby
  • MIT License
Add Information URL
No Type Name URL
1 https://rubyonrails.org/
2 https://guides.rubyonrails.org/maintenance_policy.html
3 https://railslts.com/
4 https://railsguides.jp/maintenance_policy.html
5 https://weblog.rubyonrails.org/releases/
6 https://github.com/rails/rails
7 https://rubyonrails.org/security/
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
91 Ruby on rails 7.0 7.0.8.4 June 4, 2024 Dec. 15, 2021 1 2 4 0
92 Ruby on rails 6.1 6.1.7.7 Feb. 21, 2024 Dec. 9, 2020 1 6 6 0
93 Ruby on rails 6.0 6.0.6.1 Jan. 17, 2023 Aug. 16, 2019 2 8 9 0
94 Ruby on rails 5.2 5.2.8.1 July 12, 2022 April 9, 2018 2 10 5 0
95 Ruby on Rails 5.1 5.1.7 March 27, 2019 April 27, 2017 April 9, 2018 April 9, 2018 2 11 4 0
96 Ruby on rails 5.0 5.0.7.2 March 11, 2019 June 30, 2016 April 27, 2017 April 27, 2017 2 15 7 1
97 Ruby on rails 4.2 4.2.11.3 May 15, 2020 Dec. 20, 2014 June 30, 2016 Aug. 16, 2019 2 17 9 1
98 Ruby on rails 4.1 4.1.16 July 12, 2016 April 8, 2014 Dec. 20, 2014 Dec. 20, 2014 2 17 12 1
99 Ruby on rails 4.0 4.0.13 Jan. 6, 2015 June 25, 2013 April 8, 2014 Dec. 20, 2014 2 17 14 1
100 Ruby on rails 3.2 3.2.2.25 2 16 31 0
101 Ruby on rails 3.1 3.1.9 2 16 35 0
102 Ruby on rails 3.0 3.0.9 2 20 37 0
103 Ruby on rails 2.3 2.3.9 2 14 29 0
104 Ruby on rails 2.2 2.2.3 2 12 22 0
105 Ruby on rails 2.1 2.1.2 2 13 24 0
106 Ruby on rails 2.0 2.0.5 2 13 22 0
107 Ruby on rails 1.9 1.9.5 2 11 17 0
108 Ruby on rails 1.2 1.2.6 2 11 17 0
109 Ruby on rails 1.1 1.1.6 2 13 17 0
110 Ruby on rails 1.0 1.0.0 2 12 16 0
111 Ruby on rails 0.9 0.9.5 2 12 16 0
112 Ruby on rails 0.14 0.14.4 2 12 16 0
113 Ruby on rails 0.13 0.13.1 2 12 16 0
114 Ruby on rails 0.12 0.12.1 2 12 16 0
115 Ruby on rails 0.11 0.11.1 2 12 16 0
116 Ruby on rails 0.10 0.10.1 2 12 16 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
91 -
4.3 		MEDIUM The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it … CWE-79
Cross-site Scripting 		CVE-2011-2197 cpe:2.3:a:rubyonrails:rails:3.1.0:rc1
cpe:2.3:a:rubyonrails:rails:3.1.0:beta1
cpe:2.3:a:rubyonrails:rails:3.1.0:*… 		2024-11-21 10:27
2011-07-1 		Show GitHub Exploit DB Packet Storm
92 -
7.5 		HIGH actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of availa… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2011-0449 cpe:2.3:a:rubyonrails:rails:3.0.4:rc1
cpe:2.3:a:rubyonrails:rails:3.0.3:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre 		2024-11-21 10:24
2011-02-22 		Show GitHub Exploit DB Packet Storm
93 -
7.5 		HIGH Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-num… CWE-89
SQL Injection 		CVE-2011-0448 cpe:2.3:a:rubyonrails:rails:3.0.4:rc1
cpe:2.3:a:rubyonrails:rails:3.0.3:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre 		2024-11-21 10:24
2011-02-22 		Show GitHub Exploit DB Packet Storm
94 -
6.8 		MEDIUM Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers… CWE-352
 Origin Validation Error 		CVE-2011-0447 cpe:2.3:a:rubyonrails:rails:3.0.4:rc1
cpe:2.3:a:rubyonrails:rails:3.0.3:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre 		2024-11-21 10:24
2011-02-15 		Show GitHub Exploit DB Packet Storm
95 -
4.3 		MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbi… CWE-79
Cross-site Scripting 		CVE-2011-0446 cpe:2.3:a:rubyonrails:rails:3.0.4:rc1
cpe:2.3:a:rubyonrails:rails:3.0.3:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre 		2024-11-21 10:23
2011-02-15 		Show GitHub Exploit DB Packet Storm
96 -
6.4 		MEDIUM Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. CWE-20
 Improper Input Validation  		CVE-2010-3933 cpe:2.3:a:rubyonrails:rails:3.0.0:*
cpe:2.3:a:rubyonrails:rails:2.3.9:* 		2024-11-21 10:19
2010-10-28 		Show GitHub Exploit DB Packet Storm
97 -
6.8 		MEDIUM Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protect… CWE-20
 Improper Input Validation  		CVE-2008-7248 cpe:2.3:a:rubyonrails:rails:2.2.1:*
cpe:2.3:a:rubyonrails:rails:2.2.0:*
cpe:2.3:a:rubyonrails:rails:2.1.2:*
cp… 		2026-04-23 09:35
2009-12-16 		Show GitHub Exploit DB Packet Storm
98 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors i… CWE-79
Cross-site Scripting 		CVE-2009-4214 cpe:2.3:a:rubyonrails:rails:2.3.4:*
cpe:2.3:a:rubyonrails:rails:2.3.3:*
cpe:2.3:a:rubyonrails:rails:2.3.2:*
cp… 		2026-04-23 09:35
2009-12-8 		Show GitHub Exploit DB Packet Storm
99 -
5.0 		MEDIUM A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allo… CWE-200
Information Exposure 		CVE-2009-3086 cpe:2.3:a:rubyonrails:rails:2.3.3:*
cpe:2.3:a:rubyonrails:rails:2.3.2:*
cpe:2.3:a:rubyonrails:rails:2.2.2:*
cp… 		2026-04-23 09:35
2009-09-9 		Show GitHub Exploit DB Packet Storm
100 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings… CWE-79
Cross-site Scripting 		CVE-2009-3009 cpe:2.3:a:rubyonrails:rails:2.3.3:*
cpe:2.3:a:rubyonrails:rails:2.3.2:*
cpe:2.3:a:rubyonrails:rails:2.2.2:*
cp… 		2026-04-23 09:35
2009-09-9 		Show GitHub Exploit DB Packet Storm