Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4505 advisory.

    - -----------------------------------------------------------------------     Debian LTS Advisory DLA-4505-1              debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Utkarsh Gupta     March 23, 2026                              https://wiki.debian.org/LTS
    - -----------------------------------------------------------------------

    Package        : ruby-rack     Version        : 2.1.4-3+deb11u5     CVE ID         : CVE-2026-22860 CVE-2026-25500     Debian Bug     : 1128479 1128480

    Two vulnerabilities were discovered in ruby-rack, a modular Ruby     webserver interface.

    CVE-2026-22860

        Rack::Directory's path check used a string prefix match on the         expanded path. A request like /../root_example/ could escape the         configured root if the target path started with the root string,         allowing directory listing outside the intended root.

    CVE-2026-25500

        Rack::Directory generated an HTML directory index where each file         entry was rendered as a clickable link. If a file existed on disk         whose basename started with the javascript: scheme, the generated         index contained an anchor whose href executed JavaScript in the         browser, resulting in a stored XSS vulnerability.

    For Debian 11 bullseye, these problems have been fixed in version     2.1.4-3+deb11u5.

    We recommend that you upgrade your ruby-rack packages.

    For the detailed security status of ruby-rack please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ruby-rack

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8066-1 advisory.

    Minh Pham Quang discovered that Rack did not correctly handle parsing certain paths, which could lead to a     path traversal attack. An attacker could possibly use this issue to leak sensitive information.
    (CVE-2026-22860)

    Ali Firas discovered that Rack did not correctly sanitize certain inputs. An attacker could possibly use     this issue to execute arbitrary code. (CVE-2026-25500)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of the Rack Ruby library installed on the remote host is prior to 2.2.22, 3.x prior to 3.1.20, or 3.2.x prior to 3.2.5. It is, therefore, affected by multiple vulnerabilities:

  - Rack::Directory’s path check used a string prefix match on the expanded path. A request like     /../root_example/ can escape the configured root if the target path starts with the root string,     allowing directory listing outside the intended root. (CVE-2026-22860)

  - Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link.     If a file exists on disk whose basename begins with the javascript: scheme (e.g. javascript:alert(1)),     the generated index includes an anchor whose href attribute is exactly javascript:alert(1). Clicking     this entry executes arbitrary JavaScript in the context of the hosting application. (CVE-2026-25500)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5,     `Rack::Directory`'s path check used a string prefix match on the expanded path. A request like     `/../root_example/` can escape the configured root if the target path starts with the root string,     allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
    (CVE-2026-22860)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
303309	Debian dla-4505 : ruby-rack - security update	Nessus	Debian Local Security Checks	high
300486	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : Rack vulnerabilities (USN-8066-1)	Nessus	Ubuntu Local Security Checks	high
299587	Ruby Rack < 2.2.22 / 3.0.0.beta1 < 3.1.20 / 3.2.0 < 3.2.5 Multiple Vulnerabilities	Nessus	Misc.	high
299489	Linux Distros Unpatched Vulnerability : CVE-2026-22860	Nessus	Misc.	high

Detections

Analytics

CVE-2026-22860

high

Tenable Plugins

high

high

high

high