Advisories » MGASA-2026-0075

Updated ruby-rack packages fix security vulnerabilities

Publication date: 31 Mar 2026
Modification date: 31 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-22860 , CVE-2026-25500

Description

Rack has a Directory Traversal via Rack:Directory. (CVE-2026-22860)
Rack's Stored XSS in Rack::Directory via javascript: filenames rendered
into anchor href. (CVE-2026-25500)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35285
• https://lists.debian.org/debian-security-announce/2026/msg00089.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500

SRPMS

9/core

• ruby-rack-2.2.22-1.mga9