VDB

CVE-2026-34763

CVE-2026-34763 PUBLISHED CVSS 5.3 MEDIUM

Reported by GitHub_M · Published April 2, 2026

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Risk Scores

CVSS 3.1
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

VendorProductVersions
rackrack< 2.2.23, >= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6
rackrack< 2.2.23, >= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6
AWSconfig

Timeline

  • Apr 2, 2026 CVE Published
  • Apr 3, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score
  • May 27, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›