CVE-2026-34060
9.8 CRITICALRuby LSP is an implementation of the language server protocol for Ruby
Published: 2026-03-31 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-94
Affected products
| Vendor | Product |
|---|---|
| shopify | ruby_lsp |
Description
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-42342 — React Router is a router for React (7.5 HIGH)
- CVE-2026-42211 — React Router is a router for React (8.1 HIGH)
- CVE-2026-40181 — React Router is a router for React (6.1 MEDIUM)
- CVE-2026-34077 — React Router is a router for React (7.5 HIGH)
- CVE-2026-33245 — React Router is a router for React (8.0 HIGH)
Same CWE
- CVE-2026-12176 — A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 (4.3 MEDIUM)
- CVE-2026-54057 — Kitty is a cross-platform GPU based terminal
- CVE-2026-12130 — A security flaw has been discovered in CodeAstro Human Resource Management System 1.0 (3.5 LOW)
- CVE-2026-12129 — A vulnerability was identified in CodeAstro Human Resource Management System 1.0 (3.5 LOW)
- CVE-2026-42890 — Actual is an open-source personal finance application