Active Support
-
Reject scientific notation in NumberConverter
[CVE-2026-33176]
Jean Boussier
-
Fix
SafeBuffer#%to preserve unsafe status[CVE-2026-33170]
Jean Boussier
-
Improve performance of NumberToDelimitedConverter
[CVE-2026-33169]
Jean Boussier
Active Model
- No changes.
Active Record
- No changes.
Action View
-
Skip blank attribute names in tag helpers to avoid generating invalid HTML.
Mike Dalessio
Action Pack
-
Fix possible XSS in DebugExceptions middleware
John Hawthorn
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
-
Filter user supplied metadata in DirectUploadController
[CVE-2026-33173]
Jean Boussier
-
Configurable maxmimum streaming chunk size
Makes sure that byte ranges for blobs don't exceed 100mb by default.
Content ranges that are too big can result in denial of service.[CVE-2026-33174]
Gannon McGibbon
-
Limit range requests to a single range
[CVE-2026-33658]
Jean Boussier
-
Prevent path traversal in
DiskService.DiskService#path_fornow raises anInvalidKeyErrorwhen passed keys with dot segments (".",
".."), or if the resolved path is outside the storage root directory.#path_foralso now consistently raisesInvalidKeyErrorif the key is invalid in any way, for
example containing null bytes or having an incompatible encoding. Previously, the exception
raised may have beenArgumentErrororEncoding::CompatibilityError.DiskControllernow explicitly rescuesInvalidKeyErrorwith appropriate HTTP status codes.[CVE-2026-33195]
Mike Dalessio
-
Prevent glob injection in
DiskService#delete_prefixed.Escape glob metacharacters in the resolved path before passing to
Dir.glob.Note that this change breaks any existing code that is relying on
delete_prefixedto expand
glob metacharacters. This change presumes that is unintended behavior (as other storage services
do not respect these metacharacters).[CVE-2026-33202]
Mike Dalessio
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
Guides
- No changes.