Moole Vulnerability Database

Find real vulnerabilities before they ship

High

CVE-2026-22860

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

VectorNETWORK

PublishedFeb 18, 2026, 19:21

Published Bysecurity-advisories@github.com

Base Score

Score7.5

Affected Versions

Package (Ecosystem)IntroducedFixedLimit

rack(RubyGems)02.2.22N/A

rack(RubyGems)3.0.0.beta13.1.20N/A

rack(RubyGems)3.2.03.2.5N/A

References

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh

Weakness Type

CWE-22

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base SeverityHigh

Version

3.1

Attack Vector (AV)

NETWORK