PatchSiren

carrierwaveuploader CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM carrierwaveuploader CVE published 2026-06-17

CVE-2026-44587

CVE-2026-44587 is a vulnerability in CarrierWave, a Ruby framework for uploading files. The content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. This issue has been fixed in versions 2.2.7 and 3.1.3. The vulnerability could allow an attacker to upload malicious files, potentially leading to [truncated]