activerecord (RubyGems) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the RubyGems package activerecord, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (23)
CVE-2013-0277 — CVSS 10.0 (critical): ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary…
CVE-2022-32224 — CVSS 9.8 (critical): A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and…
CVE-2023-22794 — CVSS 8.8 (high): A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed…
CVE-2011-2930 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connect…
CVE-2012-2695 — CVSS 7.5 (high): The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the…
CVE-2012-6496 — CVSS 7.5 (high): SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10…
CVE-2011-0448 — CVSS 7.5 (high): Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for…
CVE-2022-44566 — CVSS 7.5 (high): A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a…
CVE-2008-4094 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1)…
CVE-2014-3483 — CVSS 7.5 (high): SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for…
CVE-2021-22880 — CVSS 7.5 (high): The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS)…
CVE-2016-6317 — CVSS 7.5 (high): Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record…
CVE-2014-3514 — CVSS 7.5 (high): activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows…
CVE-2014-3482 — CVSS 7.5 (high): SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for…
CVE-2014-0080 — CVSS 6.8 (medium): SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails…
CVE-2013-3221 — CVSS 6.4 (medium): The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database…
CVE-2010-3933 — CVSS 6.4 (medium): Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by…
CVE-2013-0155 — CVSS 6.4 (medium): Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter…
CVE-2015-7577 — CVSS 5.3 (medium): activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x…
CVE-2013-1854 — CVSS 5.0 (medium): The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by…
CVE-2012-2661 — CVSS 5.0 (medium): The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement…
CVE-2013-0276 — CVSS 4.3 (medium): ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the…
CVE-2025-55193: Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or…