CVE-2026-34827 is a denial of service vulnerability in Rack's multipart parsing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. The vulnerability affects Ra [truncated]
CVE-2026-34829 is a high-severity vulnerability in Rack, a modular Ruby web server interface. The vulnerability exists in Rack::Multipart::Parser, which fails to limit the size of multipart/form-data requests when the Content-Length header is absent, such as with HTTP chunked transfer encoding. This allows an unauthenticated attacker to stream large files and consume unbounded disk space, resulting in a d [truncated]
CVE-2026-34785 is a high-severity vulnerability in Rack, a modular Ruby web server interface. The issue lies in Rack::Static's handling of static files, where a simple string prefix check is used to determine if a request should be served as a static file. This check can be bypassed with URL prefixes like '/css', allowing files under the static root to be served unintentionally if their names share the co [truncated]