2440738 – (CVE-2026-25500) CVE-2026-25500 rubygem-rack: Rack stored XSS in Rack::Directory

Bug 2440738 (CVE-2026-25500) - CVE-2026-25500 rubygem-rack: Rack stored XSS in Rack::Directory

Summary: CVE-2026-25500 rubygem-rack: Rack stored XSS in Rack::Directory

Keywords:
Status:	NEW
Alias:	CVE-2026-25500
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-18 20:03 UTC by OSIDB Bzimport
Modified:	2026-02-18 22:19 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-18 20:03:02 UTC

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Note You need to log in before you can comment on or make changes to this bug.