Description
Ruby on Rails web applications that pass unverified user input to the render method in a controller or a view may be vulnerable to a code injection.
Remediation
All users running an affected release should either upgrade or use one of the workarounds immediately. A workaround to this issue is to not pass arbitrary user input to the render method. Instead, verify that data before passing it to the render method. Consult Web references for more information about this issue.
References
Related Vulnerabilities
WordPress Plugin WP-Live Chat by 3CX Remote Code Execution (7.0.01)
Drupal Core 9.3.x Remote Code Execution (9.3.0 - 9.3.18)
Ingress-Nginx "IngressNightmare" RCE (CVE-2025-1974)
uWSGI Unauthorized Access Vulnerability
Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)