Rails 8.1 → 8.1.2.1 · Rails 8.0 → 8.0.4.1 · Rails 7.2 → 7.2.3.1 · Rails 7.1 & 7.0: EOL — no more patches
All Rails CVEs — Complete Vulnerability History
Last updated: April 1, 2026 · Data: OSV Database
Rails has a mature, well-run security process. CVEs are disclosed on the Rails blog and through rubyonrails-security mailing list. Most CVEs are XSS, CSRF, or open redirect issues — serious but manageable with prompt updates.
March 2026 Security Release — 10 CVEs
On March 23, 2026, Rails released security patches across all supported versions (7.2.3.1, 8.0.4.1, 8.1.2.1) addressing 10 security issues including path traversal in Active Storage, XSS in Action Pack debug exceptions, and DoS via Active Storage proxy mode. Rails 7.0 and 7.1 received no patches — they are end of life.
| CVE | Component | Description |
|---|---|---|
| CVE-2026-33195 | Active Storage | Path traversal in DiskService |
| CVE-2026-33167 | Action Pack | XSS in debug exceptions (dev mode) |
| CVE-2026-33168 | Action View | XSS in tag helpers |
| CVE-2026-33174 | Active Storage | DoS via Range requests in proxy mode |
| CVE-2026-33202 | Active Storage | Glob injection in DiskService |
| CVE-2026-33169 | Active Support | ReDoS in number_to_delimited |
| +4 more | Various | XSS, DoS, metadata filtering |
# Update to March 2026 security release bundle update rails # Target specific version gem 'rails', '~> 8.1.2' # Rails 8.1 gem 'rails', '~> 8.0.4' # Rails 8.0 gem 'rails', '~> 7.2.3' # Rails 7.2 (last supported minor)
Rails 7.0 reached EOL April 2025. Rails 7.1 reached EOL October 2025. Neither received patches for the March 2026 CVEs. If you are on 7.0 or 7.1, upgrade to 7.2 or 8.x immediately — your application has unpatched path traversal and XSS vulnerabilities.
CVE history — all 5 known vulnerabilities
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-21831 | 2022 | CRITICAL | Code injection via YAML serialisation in Action Text | Fixed in 6.1.4.7 |
| CVE-2022-32224 | 2022 | CRITICAL | RCE via YAML deserialization in PostgreSQL adapter | Fixed in 7.0.3.1 |
| CVE-2022-44566 | 2022 | HIGH | DoS via excessive string allocation in Rack body parsing | Fixed in 7.0.4 |
| CVE-2023-28362 | 2023 | HIGH | XSS via redirect URLs with crafted query params | Fixed in 7.0.5 |
| CVE-2024-26144 | 2024 | HIGH | CSRF token leak in session response headers | Fixed in 7.1.3 |
Current safe version
The latest safe version addresses all 5 known CVEs listed above.
Before and after
Vulnerable:
gem 'rails', '6.0.0'
Fixed:
gem 'rails', '7.1.3'
Then run: bundle install
CVE-2026-41316 — Ruby ERB deserialization RCE (April 2026)
Published April 21, 2026. A deserialization vulnerability in Ruby's ERB standard library allows
Remote Code Execution in Rails applications that call Marshal.load on untrusted data.
Every Rails app loads both ActiveSupport and ERB — if your app processes untrusted Marshal data
via caching, file uploads, or IPC, review immediately.
Any Ruby application using Marshal.load with untrusted input
that has both erb and activesupport loaded — this includes all Rails applications.
# Fix — update Ruby ruby --version # Check current version # Update to Ruby 3.3.11 or Ruby 4.0.2 which include the ERB patch # Immediate mitigation if you cannot update Ruby # Never call Marshal.load on data from untrusted sources # Replace Marshal with JSON for serialization where possible
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser