CVE-2026-25500

Date: February 17, 2026

Summary "Rack::Directory" generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the "javascript:" scheme (e.g. "javascript:alert(1)"), the generated index includes an anchor whose "href" attribute is exactly "javascript:alert(1)". Clicking this entry executes arbitrary JavaScript in the context of the hosting application. This results in a client-side XSS condition in directory listings generated by "Rack::Directory". Details "Rack::Directory" renders directory entries using an HTML row template similar to: <a href='%s'>%s</a> The "%s" placeholder is populated directly with the file’s basename. If the basename begins with "javascript:", the resulting HTML contains an executable JavaScript URL: <a href='javascript:alert(1)'>javascript:alert(1)</a> Because the value is inserted directly into the "href" attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application. Impact If "Rack::Directory" is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with "javascript:". When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry). Mitigation * Update to a patched version of Rack in which "Rack::Directory" prefixes generated anchors with a relative path indicator (e.g. "./filename"). * Avoid exposing user-controlled directories via "Rack::Directory". * Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues. * Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.