MEDIUM
carrierwaveuploader
CVE published 2026-06-17
CVE-2026-44587
CVE-2026-44587 is a vulnerability in CarrierWave, a Ruby framework for uploading files. The content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. This issue has been fixed in versions 2.2.7 and 3.1.3. The vulnerability could allow an attacker to upload malicious files, potentially leading to [truncated]