Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2026-22860
Good to know:
Date: February 17, 2026
Summary "Rack::Directory"’s path check used a string prefix match on the expanded path. A request like "/../root_example/" can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Details In "directory.rb", "File.expand_path(File.join(root, path_info)).start_with?(root)" does not enforce a path boundary. If the server root is "/var/www/root", a path like "/var/www/root_backup" passes the check because it shares the same prefix, so "Rack::Directory" will list that directory also. Impact Information disclosure via directory listing outside the configured root when "Rack::Directory" is exposed to untrusted clients and a directory shares the root prefix (e.g., "public2", "www_backup"). Mitigation * Update to a patched version of Rack that correctly checks the root prefix. * Don't name directories with the same prefix as one which is exposed via "Rack::Directory".
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Top Fix
Upgrade Version
Upgrade to version rack - 2.2.22;rack - 3.1.20;rack - 3.2.5;https://github.com/rack/rack.git - v3.2.5;https://github.com/rack/rack.git - v3.1.20;https://github.com/rack/rack.git - v2.2.22
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | NONE |
| Availability (A): | NONE |