SSRF and XXE Vulnerabilities in Nokogiri XML and HTML Library for Ruby
CVE-2026-57234

2.6LOW

Key Information:

Vendor: Sparklemotion
Status: Nokogiri
Vendor: CVE Published:; 25 June 2026

🔔 Create Sparklemotion Vulnerability Alert

What is CVE-2026-57234?

The Nokogiri library, designed for XML and HTML parsing in Ruby, had a vulnerability related to the NONET parse option prior to version 1.19.4. This issue, specifically affecting the JRuby implementation, allowed schemas to be parsed with default options that could fetch external resources over the network. Consequently, this created potential vulnerabilities to Server-Side Request Forgery (SSRF) or XML External Entity (XXE) attacks. Users are encouraged to update to version 1.19.4 to mitigate these security risks.

Affected Version(s)

nokogiri < 1.19.4

References

https://github.com/sparklemotion/nokogiri/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

2.6

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

CVE-2026-57234 Data

JSON