SCA: security update for carrierwave (GHSA-7g26-2qgj-chfg)

medium Tenable Self-Hosted Container Security Plugin ID 444523

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3,
the content_type_denylist check fails to escape regex metacharacters in string entries, causing the
denylist to silently not match the content types it is intended to block. In
lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a
regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern
/image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore
never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation,
which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex
metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that
relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently
unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves
that SVG inline from its own origin, the script executes in the victim's browser, resulting in stored XSS.
This issue has been fixed in versions 2.2.7 and 3.1.3. (CVE-2026-44587)

Solution

Update the carrierwave library and its related packages to version 2.2.7 or later.

See Also

https://github.com/advisories/GHSA-7g26-2qgj-chfg

Plugin Details

Severity: Medium

ID: 444523

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/8/2026

Updated: 7/8/2026

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.48

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-44587

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/27/2026

Vulnerability Publication Date: 5/27/2026

Reference Information

CVE: CVE-2026-44587