Cross-Site Scripting in Rack Web Server Interface
CVE-2026-25500

5.4MEDIUM

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-25500?

The Rack web server interface prior to specified versions contains a vulnerability in the Rack::Directory component. This issue arises when file names on disk begin with the javascript: scheme, allowing the generation of an HTML directory index that includes clickable links. For example, a file with the basename javascript:alert(1) can be rendered, which executes JavaScript when clicked, potentially leading to harmful actions in the browser. The vulnerability was addressed in versions 2.2.22, 3.1.20, and 3.2.5.

Affected Version(s)

rack < 2.2.22 < 2.2.22

rack >= 3.0.0.beta1, < 3.1.20 < 3.0.0.beta1, 3.1.20

rack >= 3.2.0, < 3.2.5 < 3.2.0, 3.2.5

References

https://github.com/rack/rack/security/advisories/GHSA-whr...

x_refsource_CONFIRM

https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 2, 2026

CVE-2026-25500 Data

JSON