1. Home
  2. Vulnerabilities
  3. CVE-2026-44587
0.0
NA
CVE-2026-44587
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
Overview
Description

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves that SVG inline from its own origin, the script executes in the victim's browser, resulting in stored XSS. This issue has been fixed in versions 2.2.7 and 3.1.3.

Details
INFO

Published Date :

June 16, 2026, 11:10 p.m.

Last Modified :

June 16, 2026, 11:10 p.m.

Remotely Exploit :

No

Source :

GitHub_M
Impact
Affected Products

The following products are affected by CVE-2026-44587 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Update CarrierWave to patched versions to fix SVG upload vulnerabilities and prevent stored XSS.
  • Update CarrierWave to version 2.2.7 or later.
  • Update CarrierWave to version 3.1.3 or later.
  • Ensure content type denylist is correctly configured.
  • Review file upload security practices.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-44587 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.