PatchSiren cyber security CVE debrief
CVE-2026-44587 carrierwaveuploader CVE debrief
CVE-2026-44587 is a vulnerability in CarrierWave, a Ruby framework for uploading files. The content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. This issue has been fixed in versions 2.2.7 and 3.1.3. The vulnerability could allow an attacker to upload malicious files, potentially leading to stored XSS attacks. Developers and administrators using CarrierWave in their Ruby applications should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- carrierwaveuploader
- Product
- carrierwave
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-18
Who should care
Developers and administrators using CarrierWave in their Ruby applications should be aware of this vulnerability and take steps to mitigate it. This vulnerability could allow an attacker to upload malicious files, potentially leading to stored XSS attacks. Affected operators, platforms, vulnerability-management, and security teams should review the official advisory and take necessary actions.
Technical summary
The content_type_denylist check in CarrierWave fails to escape regex metacharacters in string entries. This causes the denylist to silently not match the content types it is intended to block. For example, an entry such as 'image/svg+xml' becomes the pattern '/image//svg+xml/', in which '+' is treated as a quantifier rather than a literal character and therefore never matches the real MIME type 'image/svg+xml'. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a '^' anchor. As a result, any application that relies on content_type_denylist to block 'image/svg+xml', most commonly to prevent stored XSS, is silently unprotected.
Defensive priority
High
Recommended defensive actions
- Upgrade to CarrierWave version 2.2.7 or 3.1.3 or later
- Review and update content_type_denylist entries to ensure they are properly escaped
- Implement additional security measures to prevent stored XSS attacks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-17T13:20:40.703Z and was last modified on 2026-06-18T15:24:29.620Z. The NVD entry is currently Analyzed. This issue has been fixed in versions 2.2.7 and 3.1.3. Developers should verify the affected scope and severity based on the official advisory. The content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block.
Official resources
-
CVE-2026-44587 CVE record
CVE.org
-
CVE-2026-44587 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Exploit
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:40.703Z and has not been modified since then. The NVD entry is currently Analyzed.