Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Ruby on rails Number Of NVD 106 CRITICAL 3 HIGH 34 MEDIUM 68 LOW 1
URL https://rubyonrails.org/
Explanation This is the most famous framework in Ruby.
Its basic philosophy is "Don't Repeat Yourself" and "Convention over Configuration".
Model View Controller (MVC) is used.

The latest major release contains bug fixes and security fixes.
The previous major release contains security fixes.
Earlier major releases are no longer supported.

Serious security issues may be addressed outside of support.
Tag
  • MIT License
  • Ruby
Add Information URL
No Type Name URL
1 https://rubyonrails.org/
2 https://guides.rubyonrails.org/maintenance_policy.html
3 https://railslts.com/
4 https://railsguides.jp/maintenance_policy.html
5 https://weblog.rubyonrails.org/releases/
6 https://github.com/rails/rails
7 https://rubyonrails.org/security/
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
101 Ruby on rails 7.0 7.0.8.4 June 4, 2024 Dec. 15, 2021 1 2 4 0
102 Ruby on rails 6.1 6.1.7.7 Feb. 21, 2024 Dec. 9, 2020 1 6 6 0
103 Ruby on rails 6.0 6.0.6.1 Jan. 17, 2023 Aug. 16, 2019 2 8 9 0
104 Ruby on rails 5.2 5.2.8.1 July 12, 2022 April 9, 2018 2 10 5 0
105 Ruby on Rails 5.1 5.1.7 March 27, 2019 April 27, 2017 April 9, 2018 April 9, 2018 2 11 4 0
106 Ruby on rails 5.0 5.0.7.2 March 11, 2019 June 30, 2016 April 27, 2017 April 27, 2017 2 15 7 1
107 Ruby on rails 4.2 4.2.11.3 May 15, 2020 Dec. 20, 2014 June 30, 2016 Aug. 16, 2019 2 17 9 1
108 Ruby on rails 4.1 4.1.16 July 12, 2016 April 8, 2014 Dec. 20, 2014 Dec. 20, 2014 2 17 12 1
109 Ruby on rails 4.0 4.0.13 Jan. 6, 2015 June 25, 2013 April 8, 2014 Dec. 20, 2014 2 17 14 1
110 Ruby on rails 3.2 3.2.2.25 2 16 31 0
111 Ruby on rails 3.1 3.1.9 2 16 35 0
112 Ruby on rails 3.0 3.0.9 2 20 37 0
113 Ruby on rails 2.3 2.3.9 2 14 29 0
114 Ruby on rails 2.2 2.2.3 2 12 22 0
115 Ruby on rails 2.1 2.1.2 2 13 24 0
116 Ruby on rails 2.0 2.0.5 2 13 22 0
117 Ruby on rails 1.9 1.9.5 2 11 17 0
118 Ruby on rails 1.2 1.2.6 2 11 17 0
119 Ruby on rails 1.1 1.1.6 2 13 17 0
120 Ruby on rails 1.0 1.0.0 2 12 16 0
121 Ruby on rails 0.9 0.9.5 2 12 16 0
122 Ruby on rails 0.14 0.14.4 2 12 16 0
123 Ruby on rails 0.13 0.13.1 2 12 16 0
124 Ruby on rails 0.12 0.12.1 2 12 16 0
125 Ruby on rails 0.11 0.11.1 2 12 16 0
126 Ruby on rails 0.10 0.10.1 2 12 16 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
101 -
5.0 		MEDIUM CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to fu… CWE-352
 Origin Validation Error 		CVE-2008-5189 cpe:2.3:a:rubyonrails:rails:2.0.2:*
cpe:2.3:a:rubyonrails:rails:2.0.1:*
cpe:2.3:a:rubyonrails:rails:2.0.0:rc2
 2026-04-23 09:35
2008-11-21 		Show GitHub Exploit DB Packet Storm
102 -
7.5 		HIGH Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, A… CWE-89
SQL Injection 		CVE-2008-4094 cpe:2.3:a:rubyonrails:rails:2.1.0:*
cpe:2.3:a:rubyonrails:rails:2.0.4:*
cpe:2.3:a:rubyonrails:rails:2.0.2:*
cp… 		2026-04-23 09:35
2008-10-1 		Show GitHub Exploit DB Packet Storm
103 -
6.8 		MEDIUM The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively c… CWE-362
Race Condition 		CVE-2007-6077 cpe:2.3:a:rubyonrails:rails:1.2.4:* 2026-04-23 09:35
2007-11-22 		Show GitHub Exploit DB Packet Storm
104 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input va… CWE-79
Cross-site Scripting 		CVE-2007-3227 cpe:2.3:a:rubyonrails:rails:1.1.5:* 2026-04-23 09:35
2007-06-15 		Show GitHub Exploit DB Packet Storm
105 -
7.5 		HIGH Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a differe… CWE-94
Code Injection 		CVE-2006-4111 cpe:2.3:a:rubyonrails:rails:1.1.3:*
cpe:2.3:a:rubyonrails:rails:1.1.2:*
cpe:2.3:a:rubyonrails:rails:1.1.1:*
cp… 		2019-08-8 23:38
2006-08-15 		Show GitHub Exploit DB Packet Storm
106 -
7.5 		HIGH Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled i… NVD-CWE-noinfo
CVE-2006-4112 cpe:2.3:a:rubyonrails:rails:1.1.4:*
cpe:2.3:a:rubyonrails:rails:1.1.3:*
cpe:2.3:a:rubyonrails:rails:1.1.2:*
cp… 		2019-08-8 23:38
2006-08-15 		Show GitHub Exploit DB Packet Storm