rubysec · jasnow · Jun 29, 2026 · Jun 26, 2026 · Jun 26, 2026 · Jun 28, 2026
diff --git a/gems/css_parser/CVE-2026-53727.yml b/gems/css_parser/CVE-2026-53727.yml
@@ -0,0 +1,36 @@
+---
+gem: css_parser
+cve: 2026-53727
+ghsa: 9pmc-p236-855h
+url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53727
+title: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`
+date: 2026-06-01
+description: |
+  ## Summary
+
+  CssParser::Parser#read_remote_file (and therefore load_uri!, and the
+  @import-following branch of add_block!) issues HTTP/HTTPS requests
+  against any host, port and URI it is handed, with no scheme allowlist,
+  no host / IP filtering, and no protection against link-local, loopback
+  or RFC‑1918 addresses. Location: redirects are followed recursively
+  back into the same function, which also services file:// URIs, so a
+  single attacker-controlled HTTP redirect upgrades the bug from SSRF
+  to arbitrary local file disclosure.
+
+  In practice, any consumer of css_parser that hands it attacker‑influenced
+  CSS together with a base_uri: option — Premailer being the canonical
+  example — is exposed. The attacker only needs the ability to land one
+  @import url(...) in the CSS that the host application parses.
+cvss_v4: 8.9
+unaffected_versions:
+  - "< 2.2.0"
+patched_versions:
+  - ">= 3.0.0"
+related:
+  url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53727
+    - https://rubygems.org/gems/css_parser/versions/3.0.0
+    - https://github.com/premailer/css_parser/blob/master/CHANGELOG.md#version-300
+    - https://github.com/premailer/css_parser/security/advisories/GHSA-9pmc-p236-855h
+notes: |
+  - CVE is reserved, but not published so no cvss values.
diff --git a/gems/msgpack/CVE-2026-54522.yml b/gems/msgpack/CVE-2026-54522.yml
@@ -0,0 +1,30 @@
+---
+gem: msgpack
+cve: 2026-54522
+ghsa: 4mrv-5p47-p938
+url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54522
+title: DFVULN-839 - Use-After-Free in MessagePack::Buffer#clear
+  Enables Cross-Buffer Disclosure
+date: 2026-06-09
+description: |
+  ## Summary
+
+  MessagePack::Buffer#clear shifts out every chunk and returns its
+  4 KiB rmem page to the shared pool, but does not reset the buffer's
+  rmem cursor (rmem_last, rmem_end, rmem_owner). The next write sees
+  "unused rmem space" left over from the freed page and hands back a
+  slice of memory that has already been returned to the pool. A second
+  MessagePack::Buffer then re-acquires that same page, so reading the
+  cleared-and-rewritten buffer discloses the second buffer's bytes — a
+  same-process use-after-free with cross-buffer information
+  disclosure (and the symmetric write-corruption).
+patched_versions:
+  - ">= 1.8.2"
+related:
+  url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54522
+    - https://github.com/msgpack/msgpack-ruby/blob/master/ChangeLog
+    - https://github.com/msgpack/msgpack-ruby/compare/v1.8.1...v1.8.2
+    - https://github.com/msgpack/msgpack-ruby/security/advisories/GHSA-4mrv-5p47-p938
+notes: |
+  - CVE is reserved, but not published so no cvss values.
diff --git a/gems/savon/CVE-2026-53510.yml b/gems/savon/CVE-2026-53510.yml
@@ -0,0 +1,34 @@
+---
+gem: savon
+cve: 2026-53510
+ghsa: mx5j-mp4f-g8jg
+url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53510
+title: Savon::Model evaluates WSDL operation names as Ruby source
+date: 2026-06-10
+description: |
+  Savon::Model generated SOAP operation methods by interpolating
+  operation names into Ruby source passed to module_eval. An attacker
+  who can control the operation names of a WSDL, can inject Ruby code
+  that executes in the application process. This affects only the
+  .all_operations class method provided by Savon::Model to automatically
+  register all operations provided by the WSDL. Configuring Savon::Model
+  with trusted operation names via .operations is safe.
+
+  Thanks to @connorshea for securely disclosing this, providing
+  a proof and a great report.
+cvss_v3: 8.1
+unaffected_versions:
+  - "< 0.9.8"
+patched_versions:
+  - ">= 2.17.2"
+related:
+  url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53510
+    - https://github.com/savonrb/savon/releases/tag/v2.17.2
+    - https://github.com/savonrb/savon/blob/main/CHANGELOG.md#2172---2026-06-10
+    - https://github.com/savonrb/savon/blob/v2.17.1/lib/savon/model.rb#L30-L45
+    - https://gist.github.com/connorshea/6cdc951abe0e1ffd2d1cc0fa7cd6b74d
+    - https://github.com/savonrb/savon/security/advisories/GHSA-mx5j-mp4f-g8jg
+notes: |
+  - Found CVE # in CHANGELOG file.
+  - CVE is reserved, but not published so no non-GHSA cvss values.
diff --git a/gems/secure_headers/CVE-2026-54163.yml b/gems/secure_headers/CVE-2026-54163.yml
@@ -0,0 +1,64 @@
+---
+gem: secure_headers
+cve: 2026-54163
+ghsa: rqq5-2gf9-4w4q
+url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54163
+title: CSP directive injection via sandbox, plugin_types, and report_to
+  when given untrusted input
+date: 2026-06-3
+description: |
+ ## Summary
+
+  secure_headers builds the Content-Security-Policy value by stitching
+  every configured directive together with ;  separators. Three directive
+  builders (build_sandbox_list_directive, build_media_type_list_directive,
+  build_report_to_directive) interpolate caller-supplied strings into
+  that value without scrubbing ;, \r, or \n.
+
+  When an application forwards untrusted input into
+  SecureHeaders.override_content_security_policy_directives (or append_…)
+  for :sandbox, :plugin_types, or :report_to, an attacker can embed a
+  literal ; and inject an arbitrary CSP directive into the header value.
+  Because :sandbox and :plugin_types both sort alphabetically before
+  :script_src in BODY_DIRECTIVES, the injected script-src lands earlier
+  in the header and wins under the CSP first-occurrence rule, defeating
+  the application's real script-src. End result: an 'unsafe-inline' * policy
+  is forced for inline <script> despite the configured strict CSP, giving
+  full XSS reachability anywhere reflected or stored content meets one of
+  these three sinks.
+
+  An existing ;/\n scrub is already present in the source-list builder
+  (build_source_list_directive), but the three sibling builders here
+  never received the same treatment and still emit caller bytes verbatim
+  into the CSP value.
+
+  ## Impact
+
+  Although piping untrusted input into CSP directives is generally
+  discouraged, applications that do so for one of the three uncovered
+  directives turn that endpoint into an XSS sink with an effective *
+  'unsafe-inline' script-src, even though the global config says
+  script_src: %w('self'). The same primitive can also be used to point
+  report-to / report-uri at attacker infrastructure to silently siphon
+  CSP violation reports — which include the violated URL, blocked-uri,
+  source-file, line-number and a sample-snippet, useful for
+  fingerprinting and for harvesting victim-internal URLs.
+
+  The global default CSP set in Configuration.default is supposed to
+  be a backstop: even if a controller appends a single risky value,
+  the strict script-src should remain the first match. This bug breaks
+  that property by letting the appended value redefine the policy header
+  upstream of the legitimate script-src.
+cvss_v3: 4.7
+patched_versions:
+  - ">= 7.3.0"
+related:
+  url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54163
+    - https://rubygems.org/gems/secure_headers/versions/7.3.0
+    - https://github.com/github/secure_headers/releases/tag/v7.3.0
+    - https://github.com/github/secure_headers/commit/286a79dea80c6a9be4ca93e0f284c923cf77e539
+    - https://github.com/github/secure_headers/security/advisories/GHSA-rqq5-2gf9-4w4q
+notes: |
+  - CVE is reserved, but not published so no cvss_v2 or cvss_v4 values.
+  - CHANGELOG only goes to 6.5.0.