Skip to main content

Nokogiri EUVDEUVD-2026-39421

| CVE-2026-57234 LOW
Improper Handling of Case Sensitivity (CWE-178)
2026-06-25 GitHub_M
2.6
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.6 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
2.6 LOW

Requires JRuby runtime, attacker-supplied schema, and user interaction (AC:H, PR:L, UI:R); impact limited to SSRF/XXE data disclosure with no integrity or availability consequence.

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 16:03 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 15:21 vuln.today
Analysis Generated
Jun 25, 2026 - 15:21 vuln.today

DescriptionCVE.org

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

AnalysisAI

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege access to application
Delivery
Supply crafted XML Schema with external network references
Exploit
Application invokes Nokogiri::XML::Schema on JRuby with default options
Execution
Case-sensitive NONET denylist bypass permits outbound network request
Impact
Attacker-controlled server receives SSRF hit or XXE-exfiltrated data

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the target Ruby application must be running on the JRuby implementation - CRuby deployments at any Nokogiri version are immune; (2) the application must use Nokogiri::XML::Schema to parse XML schemas, specifically with default parse options (NONET enabled); (3) the attacker must be able to supply or influence the schema content processed by the application, since the bypass is triggered by external resource references embedded in the schema itself; and (4) CVSS PR:L indicates some level of authenticated or low-privilege access is required, and UI:R indicates a user or process action must trigger the schema parse. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 2.6 (Low) is internally consistent with the vector AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, reflecting high attack complexity, a required low-privileged authenticated context, mandatory user interaction, and only limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious XML Schema document containing references to attacker-controlled external URLs using alternate-case scheme strings (exploiting the case-sensitive denylist bypass) and submits it to a JRuby-based Ruby application that uses Nokogiri::XML::Schema for schema validation with default parse options. The application's Nokogiri JRuby implementation issues an outbound HTTP request to the attacker's server despite NONET being set, enabling the attacker to map internal network topology via SSRF or extract data via XXE response channels. …
Remediation Upgrade to Nokogiri 1.19.4 or later via gem update nokogiri or by updating the Gemfile pin; this is the only confirmed fix per the vendor advisory at https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-29181 HIGH POC
8.2 May 20

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely

CVE-2019-5477 CRITICAL
9.8 Aug 16

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Rub

CVE-2022-23476 HIGH
7.5 Dec 08

Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this

CVE-2022-24836 HIGH
7.5 Apr 11

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2021-41098 HIGH
7.5 Sep 27

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high sever

CVE-2026-57235 MEDIUM
6.3 Jun 25

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a l

CVE-2020-26247 MEDIUM
4.3 Dec 30

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium sev

CVE-2026-57438 LOW
2.2 Jun 25

Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointin

CVE-2026-57437 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault wh

CVE-2026-57436 LOW
1.7 Jun 25

Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application cod

CVE-2026-57435 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a seg

CVE-2026-57434 LOW
1.7 Jun 25

Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.

Share

EUVD-2026-39421 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy