PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44587 carrierwaveuploader CVE debrief

CVE-2026-44587 is a vulnerability in CarrierWave, a Ruby framework for uploading files. The content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. This issue has been fixed in versions 2.2.7 and 3.1.3. The vulnerability could allow an attacker to upload malicious files, potentially leading to stored XSS attacks. Developers and administrators using CarrierWave in their Ruby applications should be aware of this vulnerability and take steps to mitigate it.

Vendor
carrierwaveuploader
Product
carrierwave
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-18
Advisory published
2026-06-17
Advisory updated
2026-06-18

Who should care

Developers and administrators using CarrierWave in their Ruby applications should be aware of this vulnerability and take steps to mitigate it. This vulnerability could allow an attacker to upload malicious files, potentially leading to stored XSS attacks. Affected operators, platforms, vulnerability-management, and security teams should review the official advisory and take necessary actions.

Technical summary

The content_type_denylist check in CarrierWave fails to escape regex metacharacters in string entries. This causes the denylist to silently not match the content types it is intended to block. For example, an entry such as 'image/svg+xml' becomes the pattern '/image//svg+xml/', in which '+' is treated as a quantifier rather than a literal character and therefore never matches the real MIME type 'image/svg+xml'. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a '^' anchor. As a result, any application that relies on content_type_denylist to block 'image/svg+xml', most commonly to prevent stored XSS, is silently unprotected.

Defensive priority

High

Recommended defensive actions

  • Upgrade to CarrierWave version 2.2.7 or 3.1.3 or later
  • Review and update content_type_denylist entries to ensure they are properly escaped
  • Implement additional security measures to prevent stored XSS attacks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-17T13:20:40.703Z and was last modified on 2026-06-18T15:24:29.620Z. The NVD entry is currently Analyzed. This issue has been fixed in versions 2.2.7 and 3.1.3. Developers should verify the affected scope and severity based on the official advisory. The content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:40.703Z and has not been modified since then. The NVD entry is currently Analyzed.