Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Ruby on Rails Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) Vulnerability - CVE-2026-33202 - Vulnerability Database
Ruby on Rails

Ruby on Rails Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) Vulnerability - CVE-2026-33202

Critical
Reference: CVE-2026-33202
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-33202
Title: Ruby on Rails Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) Vulnerability
Overview:

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1 8.0.4.1 and 7.2.3.1 Active Storage39s DiskServicedelete_prefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1 8.0.4.1 and 7.2.3.1 contain a patch.