Rack 2.2.22 / 3.1.20 / 3.2.5 Fixed XSS in Directory Index via javascript: links
CVE-2026-25500 Published on February 18, 2026

Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Github Repository NVD

Vulnerability Analysis

CVE-2026-25500 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-25500 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2026-25500

stack.watch emails you whenever new vulnerabilities are published in Rack or Canonical Ubuntu Linux. Just hit a watch button to start following.

Rack
 
Canonical Ubuntu Linux
 

Affected Versions

rack:

Vulnerable Packages

The following package name and versions may be associated with CVE-2026-25500

Package Manager Vulnerable Package Versions Fixed In
rubygems rack < 2.2.22 2.2.22
rubygems rack >= 3.0.0.beta1, < 3.1.20 3.1.20
rubygems rack >= 3.2.0, < 3.2.5 3.2.5

Exploit Probability

EPSS
0.04%
Percentile
10.27%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.