CVE-2026-44587
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
Description
CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves that SVG inline from its own origin, the script executes in the victim's browser, resulting in stored XSS. This issue has been fixed in versions 2.2.7 and 3.1.3.
INFO
Published Date :
June 17, 2026, 1:20 p.m.
Last Modified :
June 18, 2026, 3:24 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | |||||
| CVSS 3.1 | MEDIUM | MITRE-CVE | ||||
| CVSS 3.1 | MEDIUM | [email protected] | ||||
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Update CarrierWave to version 2.2.7 or later.
- Update CarrierWave to version 3.1.3 or later.
- Ensure content type denylist is correctly configured.
- Review file upload security practices.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-44587.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-44587 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-44587
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-44587 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-44587 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 18, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Added CPE Configuration OR *cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:* versions up to (excluding) 2.2.7 *cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:* versions from (including) 3.0.0 up to (excluding) 3.1.3 Added Reference Type GitHub, Inc.: https://github.com/carrierwaveuploader/carrierwave/commit/21221cc6e260633f7da78c6133a88666a5529d27 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/carrierwaveuploader/carrierwave/commit/4c4a005775a436c5165df014dc9b1874c227d86c Types: Patch Added Reference Type GitHub, Inc.: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg Types: Exploit, Vendor Advisory Added Reference Type CISA-ADP: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg Types: Exploit, Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 17, 2026
Action Type Old Value New Value Added Reference https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg Added SSVC {'id': 'CVE-2026-44587', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'partial'}], 'version': '2.0.3', 'timestamp': '2026-06-17T18:06:48.640514Z'} -
New CVE Received by [email protected]
Jun. 17, 2026
Action Type Old Value New Value Added Affected [{'vendor': 'carrierwaveuploader', 'product': 'carrierwave', 'versions': [{'status': 'affected', 'version': '< 2.2.7'}, {'status': 'affected', 'version': '>= 3.0.0.rc, < 3.1.3'}]}] Added Description CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves that SVG inline from its own origin, the script executes in the victim's browser, resulting in stored XSS. This issue has been fixed in versions 2.2.7 and 3.1.3. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N Added CWE CWE-79 Added CWE CWE-184 Added CWE CWE-625 Added Reference https://github.com/carrierwaveuploader/carrierwave/commit/21221cc6e260633f7da78c6133a88666a5529d27 Added Reference https://github.com/carrierwaveuploader/carrierwave/commit/4c4a005775a436c5165df014dc9b1874c227d86c Added Reference https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-7g26-2qgj-chfg